Word Press Product Bugs Report
Bug Name Malicious File upload
Software: NextGen Gallery
Version: 2.1.10
Last Updated: 01-09-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Video POC URL: https://youtu.be/hMMG42HsgUA
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Malicious File upload vulnerability in WordPress plugin NextGen Gallery
Details
Word Press Product Bugs Report
Bug Name Malicious File upload
Software: NextGen Gallery
Version: 2.1.10
Last Updated: 01-09-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Video POC URL: https://youtu.be/hMMG42HsgUA
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Malicious File upload vulnerability in WordPress plugin NextGen Gallery
Proof of concept: (POC)
Visit the following page on a site with this plugin installed in the following URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product which is vulnerable to file upload in file and name variable from which name variable extension is modified from JPG to PHP and file variable containing image content/information is semi-modified with PHP shell to be executed in the server which can be accessed with the help of publicly available URL. here, it is http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308
Issue 1:
The Post Request file and name variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product is vulnerable to file upload. In which name variable extension is modified from JPG to PHP and file variable is added with PHP shell to be executed in the server which can be accessed with the help of publicly available URL http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308
Figure 1: Normal request to the server
Figure 2: File variable modified from JPG to PHP
Figure 3: Mixing the content of the uploading file with shell content to get executed
Figure 4: Showing that file has been uploaded as image into the server
Figure 5: Originally, file have been stored in PHP format which can be executed from outside login
Figure 6: Shell Executed giving system information of the hosted server.
Reproducing Steps
Timeline
2015-09-04 – Discovered in NextGen Gallery 2.1.10 version.
2015-09-04 – Reported to plugins@wordpress.org
2015-09-04 – Vendor responded in the same.
2015-09-09 – Fixed in NextGen Gallery 2.1.15 version.
2015-10-27 – CVE Requested
Discovered by:
Sathish from Cyber Security Works Pvt Ltd
The text was updated successfully, but these errors were encountered: