Bugtraq mailing list archives
Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
From: Paolo Perego <thesp0nge () gmail com>
Date: Wed, 16 Jan 2013 10:41:39 +0100
Beni, looking at the source code, filename_1 is referenced only in gllr_plugin_install and its value is hardcoded and not taken from the request. Are you sure it's filename_1 the parameter affected? Paolo On 11 January 2013 10:06, Henri Salo <henri () nerv fi> wrote:
On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda () yahoo com wrote:a bug in Wordpress gallery-3.8.3 plugin that allows to us to occur a Arbitrary File Read on a Local machin ################################################################################​############## # # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability # # Author : IrIsT.Ir # # Discovered By : Beni_Vanda # # Home : http://IrIsT.Ir/forum/ # # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/ # # Security Risk : High # # Version : All Version # # Tested on : GNU/Linux Ubuntu - Windows Server - win7 # # Dork : inurl:plugins/nextgen-gallery # ################################################################################​############## # # Expl0iTs : # # [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR] # # ################################################################################​############## # # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi - F@rid - dr.tofan # # and All Members In Www.IrIsT.Ir/forum # ################################################################################​##############Seems to be false positive. At least I can't make that PoC URL work. This goes to Apache's error.log after trying to reproduce with the newest version of this plugin: mod_fcgid: stderr: PHP Fatal error: Call to undefined function register_activation_hook() in <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334 Does the plugin need some kind of configuration before this vulnerability "activates"? Does "arbitrary file read vulnerability" mean it is not the same as remote file inclusion? - Henri Salo
-- $ cd /pub $ more beer The blog that fills the gap between appsec and developers: http://armoredcode.com
Current thread:
- Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Beni_vanda (Jan 10)
- Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Henri Salo (Jan 11)
- Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Paolo Perego (Jan 16)
- Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Henri Salo (Jan 11)