WordPress DM Albums plug-in Arbitrary File Deletion Vulnerability

Affected Versions:
DutchMonkey DM Albums 2.1
DutchMonkey DM Albums 2.0 vulnerability description:
Bugtraq id: 36799

DM Albums is the album plug-in used in the WordPress forum.

The DM Albums plug-in contains multiple input verification and access verification errors. Remote attackers can bypass security restrictions or execute cross-site scripting attacks.

(1) because the access to dm-albums/wp-dm-albums-ajax.php scripts is not properly restricted, remote attackers can directly call this script to delete album folders.

2) because the delete_album parameter submitted on dm-albums/wp-dm-albums-ajax.php is not properly filtered, remote attackers can exploit directory traversal attacks to delete folders outside the album root directory. The following is a vulnerability code segment:

If (isset ($ _ GET ["delete_album"]) &! Empty ($ _ GET ["delete_album"]) & strlen ($ _ GET ["delete_album"])> 0)
{
// Delete the album directory
Dm_get_album_delete ($ DM_UPLOAD_DIRECTORY. $ _ GET ["delete_album"]);
}

3) The plug-in allows users to perform certain operations through HTTP requests without performing a validity check. When a login user accesses a malicious website, it may cause the deletion of any album directory. <* Reference
Http://secunia.com/advisories/37119/
Http://blog.ndarkness.com/blog/225/wordpress-dm-albums-version-2-0-critical-vulnerability/
*>
Test method:

The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk! Http: // someblogsite/wp-content/plugins/dm-albums/wp-dm-albums-ajax.php? Delete_album =.../../public_htmlSEBUG Security suggestions:
Vendor patch:

DutchMonkey
-----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.dutchmonkey.com /? Label = Latest + News + % 26 + Announcements #20091022