lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Apr 2014 08:13:38 -0400 From: Illwill <illwill@...mob.org> To: fulldisclosure@...lists.org Subject: Re: [FD] Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) What circumstance would a WordPress admin not usually have this kind of access anyhow? Why the delay in discovery til reporting? On April 29, 2014 6:32:01 AM EDT, dxw Security <security@....com> wrote: >Details >================ >Software: File Gallery >Version: 1.7.7,1.7.9 >Homepage: http://wordpress.org/plugins/file-gallery/ >Advisory ID: dxw-1970-638 >CVE: CVE-2014-2558 >CVSS: 8 (High; AV:N/AC:L/Au:S/C:C/I:P/A:P) > >Description >================ >Arbitrary code execution by admins in File Gallery 1.7.7 > >Vulnerability >================ >An admin user can execute arbitrary code due to using >create_function(). The plugin’s authors made it tricky by using >single-quotes instead of double quotes, and they replaced all single >quotes with a backslash followed by single quotes. Unfortunately, >escaping strings is not quite that easy. Using backslash-quote we are >able to escape the backslash leaving us a quote. > >Proof of concept >================ > >Visit the settings page (integrated into the media settings >at /wp-admin/options-media.php) >Type the following into any of the plugin’s settings fields, for >instance “How many page links should be shown in pagination?”: > >\',phpinfo(),# >WordPress keeps eating the backslash so I’ll spell it out: backslash, >apostrophe, comma, “phpinfo”, open paren, close paren, comma, hash > > >Click Save Changes >Part way down the page you should see the PHP logo > > >Mitigations >================ >Upgrade to version 1.7.9.2. > >Disclosure policy >================ >dxw believes in responsible disclosure. Your attention is drawn to our >disclosure policy: https://security.dxw.com/disclosure/ > >Please contact us on security@....com to acknowledge this report if you >received it via a third party (for example, plugins@...dpress.org) as >they generally cannot communicate with us on your behalf. > >This vulnerability will be published if we do not receive a response to >this report with 14 days. > >Timeline >================ > >2013-10-08: Discovered >2014-03-17: Reported to plugins@...dpress.org >2014-04-24: Updated version available > ><<<<<<< HEAD > >Discovered by dxw: >================ >Tom Adams >======= > >Discovered by dxw: >================ >Tom Adams >>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 >Please visit security.dxw.com for more information. > > > >_______________________________________________ >Sent through the Full Disclosure mailing list >http://nmap.org/mailman/listinfo/fulldisclosure >Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists