[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability

To: Henri Salo <henri@xxxxxxx>
Subject: Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
From: Paolo Perego <thesp0nge@xxxxxxxxx>
Date: Wed, 16 Jan 2013 10:41:39 +0100

Beni, looking at the source code, filename_1 is referenced only in
gllr_plugin_install and its value is hardcoded and not taken from the
request.

Are you sure it's filename_1 the parameter affected?

Paolo

On 11 January 2013 10:06, Henri Salo <henri@xxxxxxx> wrote:
> On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda@xxxxxxxxx wrote:
>> a bug in Wordpress gallery-3.8.3 plugin  that allows to us to occur a
>> Arbitrary File Read on a Local machin
>>
>>
>>
>> ################################################################################&#8203;##############
>> #
>> # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read 
>> Vulnerability
>> #
>> # Author        : IrIsT.Ir
>> #
>> # Discovered By : Beni_Vanda
>> #
>> # Home          : http://IrIsT.Ir/forum/
>> #
>> # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/
>> #
>> # Security Risk : High
>> #
>> # Version       : All Version
>> #
>> # Tested on     : GNU/Linux Ubuntu - Windows Server - win7
>> #
>> # Dork          : inurl:plugins/nextgen-gallery
>> #
>> ################################################################################&#8203;##############
>> #
>> #  Expl0iTs :
>> #
>> #  
>> [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]
>> #
>> #
>> ################################################################################&#8203;##############
>> #
>> # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi 
>> - F@rid - dr.tofan
>> #
>> # and All Members In Www.IrIsT.Ir/forum
>> #
>> ################################################################################&#8203;##############
>
> Seems to be false positive. At least I can't make that PoC URL work. This 
> goes to Apache's error.log after trying to reproduce with the newest version 
> of this plugin:
>
> mod_fcgid: stderr: PHP Fatal error:  Call to undefined function 
> register_activation_hook() in 
> <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334
>
> Does the plugin need some kind of configuration before this vulnerability 
> "activates"? Does "arbitrary file read vulnerability" mean it is not the same 
> as remote file inclusion?
>
> - Henri Salo



-- 
$ cd /pub
$ more beer

The blog that fills the gap between appsec and developers:
http://armoredcode.com

References:
- Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
  - From: Beni_vanda
- Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
  - From: Henri Salo

Prev by Date: [slackware-security] freetype (SSA:2013-015-01)
Next by Date: Re: [CVE-ID REQUEST] Atlassian Confluence - Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
Previous by thread: Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
Next by thread: Detailed examples of two vulnerabilities in whitelisting software: SE46 (Cryptzone) and Application Control (McAfee)
Index(es):
- Date
- Thread