CVSS Summary
| Score | 8 High |
|---|---|
| Vector | Network |
| Complexity | Low |
| Authentication | Single |
| Confidentiality | Complete |
| Integrity | Partial |
| Availability | Partial |
Advisory:
Arbitrary code execution by admins in File Gallery 1.7.7
Vulnerability
Last revised:
An admin user can execute arbitrary code due to using create_function(). The plugin’s authors made it tricky by using single-quotes instead of double quotes, and they replaced all single quotes with a backslash followed by single quotes. Unfortunately, escaping strings is not quite that easy. Using backslash-quote we are able to escape the backslash leaving us a quote.
Current state: Fixed
Proof of concept
- Visit the settings page (integrated into the media settings at /wp-admin/options-media.php)
- Type the following into any of the plugin’s settings fields, for instance “How many page links should be shown in pagination?”:
',phpinfo(),#- WordPress keeps eating the backslash so I’ll spell it out: backslash, apostrophe, comma, “phpinfo”, open paren, close paren, comma, hash
- Click Save Changes
- Part way down the page you should see the PHP logo
Advisory timeline
- 2013-10-08: Discovered
- 2014-03-17: Reported to plugins@wordpress.org
- 2014-04-24: Updated version available
Mitigation/further actions
Upgrade to version 1.7.9.2.