BugTraq
Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Jan 10 2013 01:01PM
Beni_vanda yahoo com (1 replies)
Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Jan 11 2013 09:06AM
Henri Salo (henri nerv fi) (1 replies)
Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Jan 16 2013 09:41AM
Paolo Perego (thesp0nge gmail com)
Beni, looking at the source code, filename_1 is referenced only in
gllr_plugin_install and its value is hardcoded and not taken from the
request.

Are you sure it's filename_1 the parameter affected?

Paolo

On 11 January 2013 10:06, Henri Salo <henri (at) nerv (dot) fi [email concealed]> wrote:
> On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda (at) yahoo (dot) com [email concealed] wrote:
>> a bug in Wordpress gallery-3.8.3 plugin that allows to us to occur a
>> Arbitrary File Read on a Local machin
>>
>>
>>
>> ########################################################################
########​##############
>> #
>> # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
>> #
>> # Author : IrIsT.Ir
>> #
>> # Discovered By : Beni_Vanda
>> #
>> # Home : http://IrIsT.Ir/forum/
>> #
>> # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/
>> #
>> # Security Risk : High
>> #
>> # Version : All Version
>> #
>> # Tested on : GNU/Linux Ubuntu - Windows Server - win7
>> #
>> # Dork : inurl:plugins/nextgen-gallery
>> #
>> ########################################################################
########​##############
>> #
>> # Expl0iTs :
>> #
>> # [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1
=[AFR]
>> #
>> #
>> ########################################################################
########​##############
>> #
>> # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi - F@rid - dr.tofan
>> #
>> # and All Members In Www.IrIsT.Ir/forum
>> #
>> ########################################################################
########​##############
>
> Seems to be false positive. At least I can't make that PoC URL work. This goes to Apache's error.log after trying to reproduce with the newest version of this plugin:
>
> mod_fcgid: stderr: PHP Fatal error: Call to undefined function register_activation_hook() in <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334
>
> Does the plugin need some kind of configuration before this vulnerability "activates"? Does "arbitrary file read vulnerability" mean it is not the same as remote file inclusion?
>
> - Henri Salo

--
$ cd /pub
$ more beer

The blog that fills the gap between appsec and developers:
http://armoredcode.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus