g0blin Research: Grand Flagallery - Photo Gallery Plugin 4.24, Full Path Disclosure

Grand Flagallery - Photo Gallery Plugin 4.24, Full Path Disclosure

The default installation of ‘Grand Flagallery’ plugin for WordPress contains a file which, if invalid input is provided to it, results in a full path disclosure of the web root.

Homepage

https://wordpress.org/plugins/flash-album-gallery/

CVSS Score

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 4.25

Proof of Concept

If the following URL is visited (after plugin activation), a full path disclosure vulnerability occurs.

http://localhost/wp-content/plugins/flagallery-skins/banner_widget_default/gallery.php

Similarly, if the plugin has been installed, but not net activated, the following URL will result in the same full path disclosure

http://localhost/wp-content/plugins/flash-album-gallery/skins/banner_widget_default/gallery.php

Timeline

2014-10-23: Discovered
2014-10-23: Vendor notified
2014-10-23: Vendor responded, version 4.25 released – issue resolved
2014-10-27: CVE requested
2014-10-27: CVE assigned
2014-10-30: Advisory released