Details ================ Software: File Gallery Version: 1.7.7,1.7.9 Homepage: http://wordpress.org/plugins/file-gallery/ Advisory ID: dxw-1970-638 CVE: CVE-2014-2558 CVSS: 8 (High; AV:N/AC:L/Au:S/C:C/I:P/A:P)
Description ================ Arbitrary code execution by admins in File Gallery 1.7.7 Vulnerability ================ An admin user can execute arbitrary code due to using create_function(). The plugin’s authors made it tricky by using single-quotes instead of double quotes, and they replaced all single quotes with a backslash followed by single quotes. Unfortunately, escaping strings is not quite that easy. Using backslash-quote we are able to escape the backslash leaving us a quote. Proof of concept ================ Visit the settings page (integrated into the media settings at /wp-admin/options-media.php) Type the following into any of the plugin’s settings fields, for instance “How many page links should be shown in pagination?”: \',phpinfo(),# WordPress keeps eating the backslash so I’ll spell it out: backslash, apostrophe, comma, “phpinfo”, open paren, close paren, comma, hash Click Save Changes Part way down the page you should see the PHP logo Mitigations ================ Upgrade to version 1.7.9.2. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2013-10-08: Discovered 2014-03-17: Reported to plug...@wordpress.org 2014-04-24: Updated version available <<<<<<< HEAD Discovered by dxw: ================ Tom Adams ======= Discovered by dxw: ================ Tom Adams >>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 Please visit security.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
