| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Jan 2013 10:41:39 +0100 From: Paolo Perego <thesp0nge@...il.com> To: Henri Salo <henri@...v.fi> Cc: Beni_vanda@...oo.com, bugtraq@...urityfocus.com Subject: Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability Beni, looking at the source code, filename_1 is referenced only in gllr_plugin_install and its value is hardcoded and not taken from the request. Are you sure it's filename_1 the parameter affected? Paolo On 11 January 2013 10:06, Henri Salo <henri@...v.fi> wrote: > On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda@...oo.com wrote: >> a bug in Wordpress gallery-3.8.3 plugin that allows to us to occur a >> Arbitrary File Read on a Local machin >> >> >> >> ################################################################################​############## >> # >> # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability >> # >> # Author : IrIsT.Ir >> # >> # Discovered By : Beni_Vanda >> # >> # Home : http://IrIsT.Ir/forum/ >> # >> # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/ >> # >> # Security Risk : High >> # >> # Version : All Version >> # >> # Tested on : GNU/Linux Ubuntu - Windows Server - win7 >> # >> # Dork : inurl:plugins/nextgen-gallery >> # >> ################################################################################​############## >> # >> # Expl0iTs : >> # >> # [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR] >> # >> # >> ################################################################################​############## >> # >> # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi - F@rid - dr.tofan >> # >> # and All Members In Www.IrIsT.Ir/forum >> # >> ################################################################################​############## > > Seems to be false positive. At least I can't make that PoC URL work. This goes to Apache's error.log after trying to reproduce with the newest version of this plugin: > > mod_fcgid: stderr: PHP Fatal error: Call to undefined function register_activation_hook() in <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334 > > Does the plugin need some kind of configuration before this vulnerability "activates"? Does "arbitrary file read vulnerability" mean it is not the same as remote file inclusion? > > - Henri Salo -- $ cd /pub $ more beer The blog that fills the gap between appsec and developers: http://armoredcode.com
Powered by blists - more mailing lists