Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability

Paolo Perego <thesp0nge@xxxxxxxxx> · Wed, 16 Jan 2013 10:41:39 +0100

Beni, looking at the source code, filename_1 is referenced only in
gllr_plugin_install and its value is hardcoded and not taken from the
request.

Are you sure it's filename_1 the parameter affected?

Paolo

On 11 January 2013 10:06, Henri Salo <henri@xxxxxxx> wrote:
> On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda@xxxxxxxxx wrote:
>> a bug in Wordpress gallery-3.8.3 plugin  that allows to us to occur a
>> Arbitrary File Read on a Local machin
>>
>>
>>
>> ################################################################################&#8203;##############
>> #
>> # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
>> #
>> # Author        : IrIsT.Ir
>> #
>> # Discovered By : Beni_Vanda
>> #
>> # Home          : http://IrIsT.Ir/forum/
>> #
>> # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/
>> #
>> # Security Risk : High
>> #
>> # Version       : All Version
>> #
>> # Tested on     : GNU/Linux Ubuntu - Windows Server - win7
>> #
>> # Dork          : inurl:plugins/nextgen-gallery
>> #
>> ################################################################################&#8203;##############
>> #
>> #  Expl0iTs :
>> #
>> #  [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]
>> #
>> #
>> ################################################################################&#8203;##############
>> #
>> # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi - F@rid - dr.tofan
>> #
>> # and All Members In Www.IrIsT.Ir/forum
>> #
>> ################################################################################&#8203;##############
>
> Seems to be false positive. At least I can't make that PoC URL work. This goes to Apache's error.log after trying to reproduce with the newest version of this plugin:
>
> mod_fcgid: stderr: PHP Fatal error:  Call to undefined function register_activation_hook() in <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334
>
> Does the plugin need some kind of configuration before this vulnerability "activates"? Does "arbitrary file read vulnerability" mean it is not the same as remote file inclusion?
>
> - Henri Salo

-- 
$ cd /pub
$ more beer

The blog that fills the gap between appsec and developers:
http://armoredcode.com