Arbitrary code execution by admins in File Gallery 1.7.7


Last revised:

An admin user can execute arbitrary code due to using create_function(). The plugin’s authors made it tricky by using single-quotes instead of double quotes, and they replaced all single quotes with a backslash followed by single quotes. Unfortunately, escaping strings is not quite that easy. Using backslash-quote we are able to escape the backslash leaving us a quote.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 8 High
Vector Network
Complexity Low
Authentication Single
Confidentiality Complete
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Visit the settings page (integrated into the media settings at /wp-admin/options-media.php)
  • Type the following into any of the plugin’s settings fields, for instance “How many page links should be shown in pagination?”:
    • ',phpinfo(),#
    • WordPress keeps eating the backslash so I’ll spell it out: backslash, apostrophe, comma, “phpinfo”, open paren, close paren, comma, hash
  • Click Save Changes
  • Part way down the page you should see the PHP logo

Advisory timeline

  • 2013-10-08: Discovered
  • 2014-03-17: Reported to
  • 2014-04-24: Updated version available

Mitigation/further actions

Upgrade to version