qbert Posted September 8, 2011 Report Posted September 8, 2011 The 1 Flash Gallery WordPress plugin is vulnerable to an arbitrary file upload vulnerability. This vulnerability is present from version 1.30 until version 1.5.7.It is possible to plant a remote shell and thereby execute arbitrary code on the remote host by simply submitting a PHP file via POST request to the following URI on a vulnerable installation:/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=phpThis works because the upload.php script a.) performs no authentication checks, b.) trusts a user-supplied request variable to provide allowed filetypes, and c.) does not actually validate that the file is a well-formed image file. I have only tested the vulnerability on an installation that does not perform watermarking, the default setting; it may or may not work on installations that do otherwise.I have created a proof-of-concept Metasploit module demonstrating the vulnerability, which interested persons can download here: http://spareclockcycles.org/downloads/code/fgallery_file_upload.rbHosts can be found with the following Google search: inurl:"wp-content/plugins/1-flash-gallery"Sursa: 1 Flash Gallery: Arbitrary File Upload « Spare Clock Cycles Quote
