Advisory:

Path traversal in Photo Gallery may allow admins to read most files on the filesystem

Vulnerability

Last revised:

The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy a configuration file from /etc into a web-readable directory in order to allow the attacker to read secrets.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 4 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity None
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
  2. Click Add new then Add Images
  3. Right-click on the file manager overlay, click Inspect, and use the dev tools to get the URL of this iframe
  4. Remove &extensions=jpg%2Cjpeg%2Cpng%2Cgif from the URL
  5. Append &dir=/../../../../../../etc/ to the URL
  6. Visit that URL
  7. Select the passwd file by clicking on it once
  8. Press the copy button in the toolbar
  9. Press the up button repeatedly until you arrive back at wp-content/uploads/photo-gallery
  10. Press the paste button
  11. Visit http://localhost/wp-content/uploads/photo-gallery/passwd to read the list of users

The number of ../ you need to add to the URL will vary, and the web server may be configured to only allow reading files with certain extensions.

Advisory timeline

  • 2017-03-29: Discovered
  • 2017-05-26: Reported to support@web-dorado.com
  • 2017-05-29: Received reply saying it would be fixed in 1.3.43
  • 2017-05-30: Version 1.3.43 was released
  • 2017-06-16: Advisory published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Upgrade to version 1.3.43 or later.