I came across this vulnerability at the weekend. The vulnerubility has been reportd to US-Cert and the author of the plugin.
Over View:
NextGEN Gallery plugin for WordPress allows remote directory browsing and unauthorized access to the gallery contents.
Description:
NextGEN Gallery plugin for WordPress does not prevent directory browsing and allows remote attackers to access the galleries and image files directly via HTTP requests. This issue may lead to unauthorized access to the private images or galleries which are not publicly available on the WordPress site/blog.
Exploit Syntax:
The image galleries can be accessed directly via HTTP request: http://www.website.com/wp-content/gallery/
Search engines such as Google can help attackers locate vulnerable websites by searching for the following phrase:
inurl:”/wp-content/gallery/”
Currently, Google returns more than 6 million websites in its search result for the above search phrase.
Impacts:
- Unauthorized access to data and files.
- Privacy issues due to search engine indexing and archiving.
Solutions:
- Add the following lines to WordPress .htaccess to prevent directory browsing:
# Disable Directory Browsing
Options All -Indexes - Create an empty file with the name of index.html or index.php and save it in http://www.website.com/wp-content/gallery/ or your gallery folder.
- Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/ (This solution has been provided by NextGEN Gallery author).
Vendor Information:
- http://WordPress.org/extend/plugins/nextgen-gallery/
- http://alexrabe.de/WordPress-plugins/nextgen-gallery/
Product Details:
- NextGEN Gallery
- Version: 1.9.2 – 1.9.3
- Last update: Jan 17, 2012
Update: This issue did not fix in version 1.9.3