PLUGIN: http://wordpress.org/plugins/flash-album-gallery/
AFFECTED VERSION: 3.01
DOWNLOADS: 840,714
RISK: MEDIUM/HIGH
The following blog post addresses a critical (chain) of security issues
in the version 3.01 of flash-album-gallery
which eventually leads to remote code execution. The exploit is not
completely automatically and needs a minimal amount
of social engineering. Nevertheless I rate the danger at a medium/high
level {Probably even worse than a fully automatable SQL injection).
First of all, I need to say that the plugin code lacks a fair amount of
secure programming techniques and has inherent design flaws as far
as I can say this [I am not a software engineer, I do security as a
hobby]. Assumingly, this is a direct result of heterogenous and
evolutionary growth of the software.
I researched flash-album-gallery mainly in June 2013 and after some
weeks I found a CSRF vulnerability in combination with
a stored XSS. But on the same time I was preparing to contact the
author and reveal my findings, I noticed a new version and
the bug seemed to be found by an independent researcher. See below the
lines Fix: vulnerability with albums and Fix: XSS bugs reported by Ken …
Continue reading