Advisory:

Path traversal vulnerability in Gallery may allow admins to read most files on the filesystem

Vulnerability

Last revised:

The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy an Apache configuration file into a web-readable directory in order to allow the attacker to read secrets.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
  2. Click “Add New”
  3. Open the browser’s dev tools
  4. Click “Add Images”
  5. Find the request to a URL starting with “/wp-admin/admin-ajax.php?action=addImages&”
  6. Look for the bwg_nonce parameter in the URL and make a note of the value
  7. Visit this URL, making sure to replace NONCE_VALUE with the nonce you found: http://localhost/wp-admin/admin-ajax.php?action=addImages&bwg_nonce=NONCE_VALUE&callback=bwg_add_image&task=rename_item&file_names=../../../../../../etc/apache2/apache2.conf&file_new_name=apacheconfigfile
  8. To access the file, visit: http://localhost/wp-content/uploads/photo-gallery/apacheconfigfile.conf

Note that the number of “../”s you need to use will vary by server configuration, the file “/etc/apache2/apache2.conf” will not be available in all configurations, and some servers may be configured to block requests to .conf files in wp-content/uploads.

If the www user has write access to /etc this could break Apache. But in most cases they will not, so PHP’s rename() function will merely copy the file instead of moving it.

Advisory timeline

  • 2017-03-20: Discovered
  • 2017-03-21: Reported via support@web-dorado.com
  • 2017-03-22: Vendor reported issue fixed in 1.3.34
  • 2017-03-28: Advisory published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Upgrade to version 1.3.34 or later.