20 Dec

Vulnerability Details: Restricted File Upload Vulnerability in Gallery by BestWebSoft

While looking into what hackers might be targeting plugin Sharexy, we took a look at what appeared to be related request to see if a file that previously had existed in the plugin Gallery by BestWebSoft was on our website. The file requested was /wp-content/plugins/gallery-plugin/upload/php.php, which has been claimed to have an arbitrary file upload vulnerability as of version 3.06. Though at least by our definition that isn’t true because the extension of the files that could be uploaded through that file is limited.

The file /upload/php.php defines what extension uploaded files can have with the following line:

$allowedExtensions = array("jpeg", "jpg", "gif", "png");

The following code is then used to make sure the file is only using one of the allowed extensions:

$pathinfo = pathinfo($this->file->getName());
$ext = $pathinfo['extension'];
		$filename = str_replace(".".$ext, "", $pathinfo['basename']);
		//$filename = md5(uniqid());
if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
	$these = implode(', ', $this->allowedExtensions);
	return "{error:'File has an invalid extension, it should be one of $these .'}";

The claim of an arbitrary file upload vulnerability showed uploading a file with the name lo.php.gif. Normally web browsers only pay attention to a file’s final extension, so even if you were to upload a file with PHP code and that file name, it wouldn’t run.

Our guess with that sort of thing is that usually someone trying to exploit that would be under the mistaken belief that you could get PHP code to run. It is possible that some people would be using that type of issue with the intention of uploading images files, as is reported to have occurred with the plugin WP Job Manager. This type of issue could be combined with a local file inclusion (LFI) vulnerability.

In version 3.1.1 the file was removed and the file upload capability was moved in to the main code of the plugin, removing the ability for those not logged in to WordPress to access it.

Wider Notice

Due to the fact that this issue might be being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if for some reason they are using a really old version of this plugin (the issue was fixed five and half years ago) or if they see attempts to exploit this and wondering what is going on. That means we are also making this post publicly accessible, unlike most of our plugin vulnerabilities details posts.

Proof of Concept

The following proof of concept will upload the selected file with a “jpeg”, “jpg”, “gif”, or “png” file extension to /wp-content/plugins/gallery-plugin/upload/files/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-content/plugins/gallery-plugin/upload/php.php" method="POST" enctype="multipart/form-data">
<input type="file" name="qqfile" />
<input type="submit" value="Submit" />