The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy a configuration file from /etc into a web-readable directory in order to allow the attacker to read secrets.
Proof of concept
- Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
- Click Add new then Add Images
- Right-click on the file manager overlay, click Inspect, and use the dev tools to get the URL of this iframe
- Remove &extensions=jpg%2Cjpeg%2Cpng%2Cgif from the URL
- Append &dir=/../../../../../../etc/ to the URL
- Visit that URL
- Select the passwd file by clicking on it once
- Press the copy button in the toolbar
- Press the up button repeatedly until you arrive back at wp-content/uploads/photo-gallery
- Press the paste button
- Visit http://localhost/wp-content/uploads/photo-gallery/passwd to read the list of users
The number of ../ you need to add to the URL will vary, and the web server may be configured to only allow reading files with certain extensions.
Upgrade to version 1.3.43 or later.