Geo2 Maps Add-on for NextGEN Gallery < 2.0.3 – Unauthenticated PHP Object Injection

Description

The plugin nextgen-gallery-geo insecurely trusts serialised data submitted over the AJAX ngg_geo_showmap (v <= 1.0.0) or geo2_maps_showmap (v <= 2.0.2) actions, available to both unauthenticated and authenticated users. This opens up the site to a PHP object injection vulnerability potential exploit vector.

Proof of Concept

The plugin did not have a suitable gadget chain to directly exploit this issue, so it will depends on other plugins/libraries installed.

v <= 1.0.0

add_action('wp_ajax_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax');
add_action('wp_ajax_nopriv_ngg_geo_showmap', 'ng_gallery_geo_shortcodes_ajax');

function ng_gallery_geo_shortcodes_ajax()
{

    $options = unserialize(base64_decode($_POST['options']));
     ....
}


v <= 2.0.2
add_action( 'wp_ajax_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' );
add_action( 'wp_ajax_nopriv_geo2_maps_showmap', 'geo2_maps_shortcodes_ajax' );

function geo2_maps_shortcodes_ajax()
{
    check_ajax_referer( 'geo2-ajax-nonce', 'nonce' );
	
    $options = unserialize( base64_decode( $_POST[ 'options' ] ) );
     ...
}