CVE-2014-9312
published 2017-08-28CVE-2014-9312: Unrestricted File Upload vulnerability in Photo Gallery 1.2.5.
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.35%
98.6th percentile
Unrestricted File Upload vulnerability in Photo Gallery 1.2.5.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | photo_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests targeting filemanager/UploadHandler.php within the WordPress photo-gallery plugin path, especially from low-privileged authenticated users (Subscriber role). ↗
- →Detect ZIP archive uploads containing .php files to the photo-gallery plugin upload endpoint, as the exploit packs PHP webshells into ZIP archives for upload. ↗
- →Alert on the presence of or HTTP requests to /wp-admin/rce/ which is where uploaded malicious files are accessible post-exploitation. ↗
- →The post() method in UploadHandler.php does not sanitize uploads; flag any PHP file execution originating from the photo-gallery plugin's upload/filemanager directory. ↗
- ·Exploit was tested specifically against version 1.2.5 of the Photo Gallery plugin; version 1.2.6 patches the vulnerability. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload
exploitdb·2014-11-11·CVSS 8.8
CVE-2014-9312 [HIGH] WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload
WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload
---
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps
1. Description
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register).
Pack .php files into .zip archive then send it using:
Your files will be visible inside:
http://wordpress-inst
Metasploit
WordPress Photo Gallery Unrestricted File Upload
metasploit
WordPress Photo Gallery Unrestricted File Upload
WordPress Photo Gallery Unrestricted File Upload
Photo Gallery Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the photo-gallery\photo-gallery.php script allows access to filemanager\UploadHandler.php. The post() method in UploadHandler.php does not properly verify or sanitize user-uploaded files. This module was tested on version 1.2.5.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/130104/Photo-Gallery-1.2.5-Shell-Upload.htmlhttp://packetstormsecurity.com/files/130384/WordPress-Photo-Gallery-1.2.5-Unrestricted-File-Upload.htmlhttp://www.securityfocus.com/bid/72620http://packetstormsecurity.com/files/130104/Photo-Gallery-1.2.5-Shell-Upload.htmlhttp://packetstormsecurity.com/files/130384/WordPress-Photo-Gallery-1.2.5-Unrestricted-File-Upload.htmlhttp://www.securityfocus.com/bid/72620
2017-08-28
Published