[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Arbitrary File Upload in '1 Flash Gallery' Wordpress Plugin

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Arbitrary File Upload in '1 Flash Gallery' Wordpress Plugin
From: supernothing@xxxxxxxxxxxxxxxxxxxx
Date: Wed, 7 Sep 2011 01:19:07 GMT

====Vulnerability====

The '1 Flash Gallery' WordPress plugin 
(http://wordpress.org/extend/plugins/1-flash-gallery/) is vulnerable to an 
arbitrary file upload vulnerability. This vulnerability is present from version 
1.30 until version 1.5.7. The plugin has been downloaded an estimated 460,000 
times, and as of yesterday was ranked by WordPress as the 17th most popular 
plugin. A patch was released today, so anyone who has this plugin installed 
should update immediately.

This vulnerability allows an attacker to plant a remote PHP file and thereby 
execute arbitrary code on the remote host by simply submitting the file via 
POST request to the following URI on a vulnerable installation:

/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php

This works because the upload.php script a.) performs no authentication checks, 
b.) trusts a user-supplied request variable to provide allowed filetypes, and 
c.) does not actually validate that the file is a well-formed image file. I 
have only tested the vulnerability on an installation that does not perform 
watermarking, the default setting; it may or may not work on installations that 
do otherwise.

I have created a proof-of-concept Metasploit module demonstrating the 
vulnerability, which interested persons can download here: 
http://spareclockcycles.org/downloads/code/fgallery_file_upload.rb

Hosts can be found with the following Google search: 
inurl:"wp-content/plugins/1-flash-gallery"

====Disclosure====

I reported the vulnerability to both WordPress and the plugin developers 
yesterday, Sep 5 2011. Both responded quickly to the issue. WordPress 
temporarily took down the plugin until the patch was released, which the 
developers did later in the day. I 'd like to thank WordPress for their fast 
and professional response.

I am now releasing details of the vulnerability publicly to ensure that users 
are aware of the issue, and encourage them to update their plugins accordingly. 
The 1 Flash Gallery developers did not stress the severe implications of this 
vulnerability in their changelog (or mention that it was a security issue at 
all), so this post is partly to ensure that the implications are made clear. 
Personally, I would uninstall the plugin, given its history of serious security 
issues and the developers' lack of candor about those reported to them.

As always, questions/comments welcome.

Prev by Date: [slackware-security] mozilla-thunderbird (SSA:2011-249-02)
Next by Date: Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution
Previous by thread: [slackware-security] mozilla-thunderbird (SSA:2011-249-02)
Next by thread: Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution
Index(es):
- Date
- Thread