lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130111090614.GD4896@kludge.henri.nerv.fi>
Date: Fri, 11 Jan 2013 11:06:14 +0200
From: Henri Salo <henri@...v.fi>
To: Beni_vanda@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read
 Vulnerability

On Thu, Jan 10, 2013 at 01:01:18PM +0000, Beni_vanda@...oo.com wrote:
> a bug in Wordpress gallery-3.8.3 plugin  that allows to us to occur a
> Arbitrary File Read on a Local machin
> 
> 
> 
> ################################################################################&#8203;##############
> #
> # Exploit Title : Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
> #
> # Author        : IrIsT.Ir
> #
> # Discovered By : Beni_Vanda    
> #
> # Home          : http://IrIsT.Ir/forum/
> #
> # Software Link : http://wordpress.org/extend/plugins/gallery-plugin/
> #
> # Security Risk : High
> #
> # Version       : All Version
> #
> # Tested on     : GNU/Linux Ubuntu - Windows Server - win7
> #
> # Dork          : inurl:plugins/nextgen-gallery
> #
> ################################################################################&#8203;##############
> #
> #  Expl0iTs :
> #
> #  [Target]/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]
> #
> #
> ################################################################################&#8203;##############
> #
> # Greats : Amir - B3HZ4D - C0dex - TaK.FaNaR - Dead.Zone - nimaarek - m3hdi - F@rid - dr.tofan
> #
> # and All Members In Www.IrIsT.Ir/forum
> #
> ################################################################################&#8203;##############

Seems to be false positive. At least I can't make that PoC URL work. This goes to Apache's error.log after trying to reproduce with the newest version of this plugin:

mod_fcgid: stderr: PHP Fatal error:  Call to undefined function register_activation_hook() in <snip>/wp-content/plugins/gallery-plugin/gallery-plugin.php on line 1334

Does the plugin need some kind of configuration before this vulnerability "activates"? Does "arbitrary file read vulnerability" mean it is not the same as remote file inclusion?

- Henri Salo

Powered by blists - more mailing lists