This is a short post documenting the vulnerability I inadvertently found yesterday in the 1 Flash Gallery plugin, which has since been patched. This plugin has been downloaded an estimated 460,000 times, and as of yesterday was ranked by WordPress as the 17th most popular plugin (although I'm not entirely sure how this judgement is made). A patch has been released, so anyone who has this plugin installed should update immediately. I'll probably do a follow-up in the near future on WordPress plugins in general, but for now, just the facts.
Vulnerability
The 1 Flash Gallery WordPress plugin is vulnerable to an arbitrary file upload vulnerability. This vulnerability is present from version 1.30 until version 1.5.7.
It is possible to plant a remote shell and thereby execute arbitrary code on the remote host by simply submitting a PHP file via POST request to the following URI on a vulnerable installation:
/wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php
This works because the upload.php script a.) performs no authentication checks, b.) trusts a user-supplied request variable to provide allowed filetypes, and c.) does not actually validate that the file is a well-formed image file. I have only tested the vulnerability on an installation that does not perform watermarking, the default setting; it may or may not work on installations that do otherwise.
I have created a proof-of-concept Metasploit module demonstrating the vulnerability, which interested persons can download here: http://spareclockcycles.org/downloads/code/fgallery_file_upload.rb
Hosts can be found with the following Google search: inurl:"wp-content/plugins/1-flash-gallery"
Disclosure
I reported the vulnerability to both WordPress and the plugin developers yesterday, Sep 5 2011. Both responded quickly to the issue, and took appropriate measures. WordPress temporarily took down the plugin until the patch was released, which the developers did later in the day. I 'd like to thank WordPress for their fast and professional response.
I am now releasing details of the vulnerability publicly to ensure that users are aware of the issue, and encourage them to update their plugins accordingly. The 1 Flash Gallery developers did not stress the severe implications of this vulnerability in their changelog (or mention that it was a security issue at all), so this post is partly to ensure that the implications are made clear. Personally, I would uninstall the plugin, given its history of serious security issues and the developers' lack of candor about those reported to them.
As always, any comments are welcome.
September 14th, 2011 - 08:46
i want hacker my website
November 4th, 2011 - 04:04
hi,
on which version have you tested this?
I’m trying to replicate this and can’t succeed…..i don’t know yet if it’s my wp setup or the exploit……probably my wp setup.
Thanks
November 4th, 2011 - 04:13
got it to work, nevermind! it was my setup ofc (actually small bug int the plugin)
Good job!
November 23rd, 2011 - 04:40
hi , i test this module by install a new wordpress and the unpatched plugin. but after i exploit it (use every avaliable module) I always get
] Exploit exception: The host (192.168.80.148:80) was unreachable.
[*] Exploit completed, but no session was created.
this error message. actually i can see the upload file in the directory of wordpress.
so i have to know what did you do . did I do something wrong ?
December 21st, 2011 - 17:29
I just dealt with this. spammers uploaded a file into a tmp directly that executing mailing commands and sent out a shit ton of mail from my server. It was only when I had deleted the plugin and it’s directories that the mailings stopped (and I stopped getting overloaded with Mailer Daemons)
February 20th, 2012 - 23:22
gracias por la informacion, esta muy entrenida
saludos