Path traversal in Photo Gallery may allow admins to read most files on the filesystem

Score Vector Complexity Authentication Confidentiality Integrity Availability
4
Medium
Network Low Single Partial None None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy a configuration file from /etc into a web-readable directory in order to allow the attacker to read secrets.

Proof of concept

  1. Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
  2. Click Add new then Add Images
  3. Right-click on the file manager overlay, click Inspect, and use the dev tools to get the URL of this iframe
  4. Remove &extensions=jpg%2Cjpeg%2Cpng%2Cgif from the URL
  5. Append &dir=/../../../../../../etc/ to the URL
  6. Visit that URL
  7. Select the passwd file by clicking on it once
  8. Press the copy button in the toolbar
  9. Press the up button repeatedly until you arrive back at wp-content/uploads/photo-gallery
  10. Press the paste button
  11. Visit http://localhost/wp-content/uploads/photo-gallery/passwd to read the list of users

The number of ../ you need to add to the URL will vary, and the web server may be configured to only allow reading files with certain extensions.

Mitigation/further actions

Upgrade to version 1.3.43 or later.