------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of galleries
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary gallleries.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Request Forgery
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue can be used by an attacker to delete arbitrary
gallleries.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Photo Gallery lacks protection against
Cross-Site Request Forgery attacks. Due to this, it is possible to
delete arbitrary gallleries. In order to exploit this issue, the
attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<img
src="http://<target>/wp-admin/admin.php?page=supsystic-gallery&module=galleries&action=delete&gallery_id=10
">
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_galleries.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip