(LiveHacking.Com) – A security researcher has discovered that millions of web sites which run on the popular WordPress blogging plaform are exposing potentially private photos and images due to misconfiguration and a privacy vulnerability in the NextGEN Gallery plugin. The problem is that the NextGEN Gallery plugin allows unrestricted HTTP browsing of its ‘gallery’ directory and so exposes all the photos which have been uploaded to the blog but not necessarily published via the plugin.
To access the gallery the following URL is used http://www.example.com/wp-content/gallery/ where example.com is the domain name of the WordPress site. Variations of this could be http://blog.example.com/wp-content/gallery/ or http://www.example.com/blog/wp-content/gallery/ depending where WordPress has been installed.
A search engine can also be used to find vulnerable sites by using the following search inurl:”/wp-content/gallery/”. Google returns over 7 millions results for this search. A alternative search is: “Index of /wp-content/gallery” which returns over 3 million results.
The impact of this vulnerability is that photos and images are being exposed which the system administrator has not published. Secondly there are privacy issues with the search engines crawling sections of web sites which the admins thought had remained private.
There are however some workarounds which I recommend every WordPress / NextGEN Gallery site use:
- Add the following lines to WordPress .htaccess to prevent directory browsing:
# Disable Directory Browsing Options All -Indexes
- Create an empty file with the name of index.html or index.php and save it in http://www.example.com/wp-content/gallery/
- Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/.
At this time US-CERT has been notified along with the plugin author. According to the statistics on the WordPress site, NextGEN Gallery has been downloaded over 4.5 million times.