Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious File Upload in NextGEN Gallery by Photocrati Version 2.1.10 #6

Closed
cybersecurityworks opened this issue Sep 14, 2015 · 1 comment

Comments

@cybersecurityworks
Copy link
Owner

cybersecurityworks commented Sep 14, 2015

Details

Word Press Product Bugs Report
Bug Name Malicious File upload
Software: NextGen Gallery
Version: 2.1.10
Last Updated: 01-09-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Video POC URL: https://youtu.be/hMMG42HsgUA
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Malicious File upload vulnerability in WordPress plugin NextGen Gallery

Proof of concept: (POC)

Visit the following page on a site with this plugin installed in the following URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product which is vulnerable to file upload in file and name variable from which name variable extension is modified from JPG to PHP and file variable containing image content/information is semi-modified with PHP shell to be executed in the server which can be accessed with the help of publicly available URL. here, it is http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308

Issue 1:

The Post Request file and name variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product is vulnerable to file upload. In which name variable extension is modified from JPG to PHP and file variable is added with PHP shell to be executed in the server which can be accessed with the help of publicly available URL http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308

file upload_01

Figure 1: Normal request to the server

file upload_03

Figure 2: File variable modified from JPG to PHP

file upload_04

Figure 3: Mixing the content of the uploading file with shell content to get executed

file upload_05

Figure 4: Showing that file has been uploaded as image into the server

file upload_06

Figure 5: Originally, file have been stored in PHP format which can be executed from outside login

file upload

Figure 6: Shell Executed giving system information of the hosted server.


Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Move on to Next Gen Gallery plugin file upload option available on products.
  3. Upload JPG file to the server through file upload option.
  4. Modify the file variable contains JPG extension to PHP. Also, edit and add shell content to the name variable body containing JPG information/content.

Timeline

2015-09-04 – Discovered in NextGen Gallery 2.1.10 version.
2015-09-04 – Reported to plugins@wordpress.org
2015-09-04 – Vendor responded in the same.
2015-09-09 – Fixed in NextGen Gallery 2.1.15 version.
2015-10-27 – CVE Requested


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

@scottwyden
Copy link

This is outdated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants