Full Disclosure mailing list archives
Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin)
From: Illwill <illwill () illmob org>
Date: Tue, 29 Apr 2014 08:13:38 -0400
What circumstance would a WordPress admin not usually have this kind of access anyhow? Why the delay in discovery til reporting? On April 29, 2014 6:32:01 AM EDT, dxw Security <security () dxw com> wrote:
Details ================ Software: File Gallery Version: 1.7.7,1.7.9 Homepage: http://wordpress.org/plugins/file-gallery/ Advisory ID: dxw-1970-638 CVE: CVE-2014-2558 CVSS: 8 (High; AV:N/AC:L/Au:S/C:C/I:P/A:P) Description ================ Arbitrary code execution by admins in File Gallery 1.7.7 Vulnerability ================ An admin user can execute arbitrary code due to using create_function(). The plugin’s authors made it tricky by using single-quotes instead of double quotes, and they replaced all single quotes with a backslash followed by single quotes. Unfortunately, escaping strings is not quite that easy. Using backslash-quote we are able to escape the backslash leaving us a quote. Proof of concept ================ Visit the settings page (integrated into the media settings at /wp-admin/options-media.php) Type the following into any of the plugin’s settings fields, for instance “How many page links should be shown in pagination?”: \',phpinfo(),# WordPress keeps eating the backslash so I’ll spell it out: backslash, apostrophe, comma, “phpinfo”, open paren, close paren, comma, hash Click Save Changes Part way down the page you should see the PHP logo Mitigations ================ Upgrade to version 1.7.9.2. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, plugins () wordpress org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2013-10-08: Discovered 2014-03-17: Reported to plugins () wordpress org 2014-04-24: Updated version available <<<<<<< HEAD Discovered by dxw: ================ Tom Adams ======= Discovered by dxw: ================ Tom Adams65c687d5cb3c4aa66c28a30a4f2aaf33169dc464Please visit security.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) dxw Security (Apr 29)
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Illwill (Apr 29)
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Dave Warren (Apr 29)
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Harry Metcalfe (Apr 30)
- Message not available
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Harry Metcalfe (Apr 30)
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Dave Warren (Apr 29)
- Re: Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin) Illwill (Apr 29)