CVE-2015-9228: Unrestricted File Upload in NextGEN Gallery

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A malicious file upload vulnerability was identified in WordPress plugin NextGen Gallery.

Vendor: NextGen Gallery
Affected Product: NextGen Gallery
CVE: CVE-2015-9228
Securin ID: 2015-CSW-09-1008
Status: Fixed
Date: September 4, 2015
Severity: High
CVSS Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

Visit the following page on a site with this plugin installed in the following URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product which CVE-2015-9228 is vulnerable to file upload in file and name variable from which name variable extension is modified from JPG to PHP and file variable containing image content/information is semi-modified with PHP shell to be executed in the server which can be accessed with the help of publicly available URL. here, it is http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308

PoC · Exploitation Steps▲ trigger

01Issue 1: The Post request file and name variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product is vulnerable to file upload. In which name variable extension is modified from JPG to PHP and file variable is added with PHP shell to be executed in the server which can be accessed with the help of publicly available URL http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=152348830802Figure 1: Normal request to the server.03Figure 2: File variable modified from JPG to PHP.04Figure 3: Mixing the content of the uploading file with shell content to get executed.05Figure 4: Showing that file has been uploaded as an image into the server.06Figure 5: Originally, files have been stored in PHP format which can be executed from outside login.07Figure 6: Shell Execution giving system information of the hosted server.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9228, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 04, 2015

Discovered in NextGen Gallery 2.1.10 version

Sep 04, 2015

Reported to plugins@wordpress.org

Sep 04, 2015

The vendor acknowledged the issue.

Sep 04, 2015

Fixed in NextGen Gallery 2.1.15 version

Oct 27, 2015

CVE Requested.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9228

nvd.nist.gov/vuln/detail/CVE-2015-9228 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A malicious file upload vulnerability was identified in WordPress plugin NextGen Gallery.

Vendor: NextGen Gallery
Affected Product: NextGen Gallery
CVE: CVE-2015-9228
Securin ID: 2015-CSW-09-1008
Status: Fixed
Date: September 4, 2015
Severity: High
CVSS Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9228, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 04, 2015

Discovered in NextGen Gallery 2.1.10 version

Sep 04, 2015

Reported to plugins@wordpress.org

Sep 04, 2015

The vendor acknowledged the issue.

Sep 04, 2015

Fixed in NextGen Gallery 2.1.15 version

Oct 27, 2015

CVE Requested.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9228

nvd.nist.gov/vuln/detail/CVE-2015-9228 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in NextGen Gallery

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in NextGen Gallery 2.1.10 version

Reported to plugins@wordpress.org

The vendor acknowledged the issue.

Fixed in NextGen Gallery 2.1.15 version

CVE Requested.

Cite, verify, go deeper.

NVD — CVE-2015-9228

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in NextGen Gallery

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in NextGen Gallery 2.1.10 version

Reported to plugins@wordpress.org

The vendor acknowledged the issue.

Fixed in NextGen Gallery 2.1.15 version

CVE Requested.

Cite, verify, go deeper.

NVD — CVE-2015-9228

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in NextGen Gallery

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in NextGen Gallery 2.1.10 version

Reported to plugins@wordpress.org

The vendor acknowledged the issue.

Fixed in NextGen Gallery 2.1.15 version

CVE Requested.

Cite, verify, go deeper.

NVD — CVE-2015-9228

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in NextGen Gallery

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in NextGen Gallery 2.1.10 version

Reported to plugins@wordpress.org

The vendor acknowledged the issue.

Fixed in NextGen Gallery 2.1.15 version

CVE Requested.

Cite, verify, go deeper.

NVD — CVE-2015-9228

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.