Patch: Urgent security fixes for Nextgen Gallery Public Uploader

by Linus Neumann on April 19, 2011

The NextGen Public Uploader Plugin for WordPress allows users to upload images to the server. Of course, these are supposed to be moderated before publication. However, the moderation queue has grave security issues, as I had to learn the tough way:

Uploaded files are saved in /wp-content/gallery/galleryname/ or a similar path, which the malevolent user can easily find out by looking at the moderated & published images‘ path. Unfortunately, this is a public directory, and no measures are taken to prevent the uploaded images to be distributed by the web server.

As the uploader knows the filename, they know the file’s complete URL under which the web server will be happy to serve files regardless of their moderation status. You can see where it goes from there. Think twitter or anonymous image boards.

I have written a quick patch that adds a random hash to the filename in order to prevent the uploader from bypassing moderation.

ngg-random-hash.patch can be downloaded here (applies to current version 1.6.).
Alternatively, you can just replace your /wp-content/plugins/nextgen-public-uploader/inc/class.npu_uploader.php with this version.

ATTENTION: This is only a quick fix. The following issues should be addressed additionally before I would even consider activating the plugin:

  1. The plugin should automatically make sure that there is an empty index.html file in the upload directory to prevent directory listing on poorly configured servers.
  2. The chmod-function should be used in oder to actively prevent access to unmoderated content instead of relying on security by obscurity.
  3. Uploader’s IP & timestamp of the upload should be documented in the database in a manner that allows for integration wordpress anti-spam function.

Until these issues are addressed, I have no other choice than to urgently discourage the use of this plugin.

2 comments

We’ve patched the lastest version using your quick fix solution. Thank you for pointing this out and a solution. For those who haven’t please update to the latest version of NextGEN Public Uploader here: http://wordpress.org/extend/plugins/nextgen-public-uploader/.

by WDS-Scott on 2. Mai 2011 at 08:37. #

Thanks for the patch and I understand why you have written it. BUT is there any way to automatically remove the Hash once the photo has been moderated and approved? It makes a mess of how I used the file name in my site. Thanks Colin

by Colin Spencer on 6. Juni 2011 at 11:44. #

Leave your comment

Required.

Required. Not published.

If you have one.