12 Apr

Privilege Escalation Vulnerability in Robo Gallery

While reviewing a false report of a vulnerability in the Robo Gallery plugin today we noticed the plugin actually had a privilege escalation vulnerability in the code mentioned in that other report. In version 2.0.15, and some prior versions, the function rbs_gallery_ajax_callback in the file /includes/rbs_gallery_ajax.php allows anyone logged in to WordPress to access the functions in the file /includes/extensions/rbs_create_post_ajax.php, which not all levels of users should have access to.

In version 2.0.15 an attempt was made to stop this by restricting access to the function rbs_gallery_ajax_callback to administrators using the the function is_admin(). The problem with that is that the function doesn’t actually doesn’t check if a user is an administrator. Instead it checks if “if the Dashboard or the administration panel is attempting to be displayed”. Since it “will return true when trying to make an ajax request (both front-end and back-end requests)”, this had no impact in this situation since it involves an ajax request.

Proof of Concept

The following proof of concept will reset a gallery’s view count to 0.

Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress and “[id of gallery]” with the ID of the gallery you are resetting the view count of.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=rbs_gallery" method="post">
<input type="hidden" name="function" value="reset_views" />
<input type="hidden" name="galleryid" value="[id of gallery]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 4/12/2016 – Developer notified the issue has not been resolved.
  • 4/12/2016 – Developer responds that fix forthcoming.
  • 4/16/2016 – Version 2.0.17 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *