漏洞描述
The WordPress NextGEN Gallery plugin exposes a PHP error log file (php_errors.log) within its admin directory that is directly accessible without authentication.
wp-nextgen-gallery-log: WordPress Gallery Plugin / NextGEN Gallery (nextgen-gallery) Error Log Disclosure
PoC代码[已公开]
id: wp-nextgen-gallery-log
info:
name: WordPress Gallery Plugin / NextGEN Gallery (nextgen-gallery) Error Log Disclosure
author: DhiyaneshDk
severity: low
description: |
The WordPress NextGEN Gallery plugin exposes a PHP error log file (php_errors.log) within its admin directory that is directly accessible without authentication.
reference:
- https://wordpress.org/plugins/nextgen-gallery/
metadata:
verified: true
max-requests: 1
publicwww-query: "/wp-content/plugins/nextgen-gallery/"
tags: debug,wordpress,wp,wp-plugin,nextgen-gallery,log
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/nextgen-gallery/admin/php_errors.log"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "nextgen-gallery")'
- 'contains_any(body, "PHP Warning:", "failed to open dir")'
condition: and
# digest: 4a0a00473045022100ea250099b674e7527cba1e7ee7ecfd9618b219ce1be97df5469338bf3c7703b1022059d5b82b40cc0eedbfe2d6a6602b629a56bf0f9dcad64dfe618cbc58881e2c15:922c64590222798bb761d5b6d8e72950