UPDATED Users of NextGEN Gallery, the image management plugin for WordPress, have been urged to update their websites after the discovery of serious cross-site request forgery (CSRF) vulnerabilities.
The most serious of two flaws found by security researchers – each residing in separate functions – could lead to remote code execution (RCE) and stored cross-site scripting (XSS).
As a result, attackers could take control of a website, inject it with spam links, or redirect visitors to phishing domains, according to a blog post disclosing the findings of Wordfence researchers yesterday (February 8).
Critical – with caveats
Although one flaw (CVE-2020-35942) was assigned a critical CVSS of 9.6, and the other, file upload bug (CVE-2020-35943) was deemed borderline critical (CVSS 8.8), both first required the duping of an administrator into clicking a malicious link.
Exploitation of the critical vulnerability was dependent on the user triggering the sending of two malicious crafted requests instead of one, and the existence of at least one image album created by web admins.
However, Wordfence threat analyst Ram Gall, who discovered the flaws, told The Daily Swig that they managed to send “both requests required to achieve RCE with a single visit”, while “most sites using Nextgen gallery are going to have a published album because that’s the primary use case for the plugin.
“In other words, this is as easy or hard to exploit as any other CSRF. The social engineering aspect is the only restriction, and the CVSS score takes into account that user interaction is required.”
Published by Imagely, NextGen Gallery is an open source extension with more than 800,000 installations.
CSRF via file upload or LFI
The critical flaw resides in the settings-safeguarding security function is_authorized_request.
A logic flaw in a function that consolidates capability and nonce checks meant the nonce check permitted requests where the “$_REQUEST[‘nonce’] parameter was missing, rather than invalid”, explained Gall in the blog post.
As a result, it was possible to upload CSS files with double extensions (for example file.php.css) and achieve RCE.
“These files would only be executable on certain configurations, such as Apache/mod_php with an AddHandler directive,” said Gall.
However, RCE, along with local file inclusion (LFI), could be achieved with other configurations via the soon-to-be-deprecated ‘legacy templates’ feature, which also uses is_authorized_request.
“Thus, it was possible to set various album types to use a template with the absolute path of the file uploaded in the previous step, or perform a directory traversal attack using the relative path of the uploaded file, regardless of that file’s extension, through a CSRF attack,” explained Gall.
The uploaded file would then be “executed whenever the selected album type was viewed on the site”, and, if armed with JavaScript, result in XSS. However, site takeover would only follow “if a logged-in administrator visits a page running a malicious injected script”.
Gall also told The Daily Swig: “It’s possible to set every legacy template to use the relative path to the uploaded file in a single request, so no reconnaissance is necessary to determine what types of album are published or to gain knowledge of the site’s file structure in order to include the uploaded file.”
CSRF leading to file upload
The validate_ajax_request security function shared the same $_REQUEST[‘nonce’] flaw as is_authorized_request, which enabled attackers to trick “an administrator into submitting a request crafted to upload an arbitrary image file” containing a hidden webshell or other executable PHP code.
The two flaws could also be chained to set the image file as a ‘legacy template’, thus unleashing the malicious code – but again, only once an administrator clicks a malicious link.
‘Fast and professional’
Imagely received the vulnerability report on December 15, and released the patched version, 3.5.0, two days later on December 17. All previous versions are affected.
Wordfence’s Gall praised Imagely’s “fast and professional response” and urged site owners to “immediately update to the latest version”.
The Daily Swig has also put additional questions to Imagely and we will update the article if and when we hear back.
This article was updated on February 10 with additional comments from Wordfence.
Source: https://portswigger.net/daily-swig/wordpress-security-flaws-800-000-sites-running-nextgen-gallery-plugin-potentially-vulnerable-to-pwnage
