Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Photo Gallery 1.3.34 / 1.3.42 Path Traversal

🗓️ 21 Jun 2017 00:00:00Reported by Tom AdamsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

WordPress Photo Gallery 1.3.34 / 1.3.42 Path Traversal vulnerability allows admins to read most files on the filesyste

Code
`Details  
================  
Software: Photo Gallery  
Version: 1.3.34,1.3.42  
Homepage: https://wordpress.org/plugins/photo-gallery/  
Advisory report: https://security.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/  
CVE: Awaiting assignment  
CVSS: 4 (Medium; AV:N/AC:L/Au:S/C:P/I:N/A:N)  
  
Description  
================  
Path traversal in Photo Gallery may allow admins to read most files on the filesystem  
  
Vulnerability  
================  
The plugin contains a file manager component which allows broad access to the filesystem including deleting files, uploading files, and moving files. In this proof-of-concept weall be usingA pathA traversal to copy a configurationA file from /etc into a web-readable directory in order to allow the attacker to read secrets.  
  
Proof of concept  
================  
  
Visit:A http://localhost/wp-admin/admin.php?page=galleries_bwg  
Click Add new then Add Images  
Right-click on the file manager overlay, click Inspect, and use the dev tools to get the URL of this iframe  
RemoveA &extensions=jpg%2Cjpeg%2Cpng%2Cgif from the URL  
Append &dir=/../../../../../../etc/ to the URL  
Visit that URL  
Select the passwd fileA by clicking on it once  
Press the copy button in the toolbar  
Press the up button repeatedly until you arrive back at wp-content/uploads/photo-gallery  
Press the paste button  
VisitA http://localhost/wp-content/uploads/photo-gallery/passwdA to read the list of users  
  
The number of ../A you need to add to the URL will vary,A and the web serverA may be configured to only allowA reading files with certain extensions.  
  
Mitigations  
================  
Upgrade to version 1.3.43 or later.  
  
Disclosure policy  
================  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/  
  
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.  
  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
  
Timeline  
================  
  
2017-03-29: Discovered  
2017-05-26: Reported toA [email protected]  
2017-05-29:A Received reply saying it would be fixedA in 1.3.43  
2017-05-30: Version 1.3.43 was released  
2017-06-16: Advisory published  
  
  
  
Discovered by dxw:  
================  
Tom Adams  
Please visit security.dxw.com for more information.  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jun 2017 00:00Current
0.1Low risk
Vulners AI Score0.1
wordpress photo gallerypath traversalfile managerpath traversal mitigationresponsible disclosuredxw discoverycve awaiting assignment
37