Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traversal Attack / Local File Inclusion (LFI) in NextGEN Gallery by Photocrati Version 2.1.7 #2

Open
cybersecurityworks opened this issue Aug 28, 2015 · 0 comments
Labels

Comments

@cybersecurityworks
Copy link
Owner

Word Press Product Bugs Report
Bug Name LFI (Local File Inclusion)
Area Path NextGEN Gallery by Photocrati Version 2.1.7 (Plugin)
Last Updated 12-08-2015
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Reported by Sathish from Cyber Security Works Pvt Ltd ([email protected])

The existed filter name with Local File Inclusion (LFI) payload is executing when the user tries to modify the File path with LFI Payload & sent to the server.

POC:
lfi
Figure 1: HTTP Request & Response for the vulnerable dir variable with ../../../../../../../../../../../xampp/htdocs/wordpress/ (Any traversal) payload

Note: Similarly, The user can fetch any details from any website hosted in the same server.

Reproducing Steps:

  1. Logon into the application.
  2. Access NextGEN Gallery by Photocrati Plugin
  3. Click on the path selection on the given folders.
  4. Modify dir variable value with ../../../../../../../../../../../xampp/htdocs/wordpress/ (Any traversal) payload in the intercepting proxy.
  5. Now You can see the internal available system folders
@cybersecurityworks cybersecurityworks changed the title Local File Inclusion (LFI) Local File Inclusion (LFI) in NextGEN Gallery by Photocrati Version 2.1.7 Aug 28, 2015
@cybersecurityworks cybersecurityworks changed the title Local File Inclusion (LFI) in NextGEN Gallery by Photocrati Version 2.1.7 Traversal Attack / Local File Inclusion (LFI) in NextGEN Gallery by Photocrati Version 2.1.7 Sep 14, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant