novaGallery Path Traversal Vulnerability Allowing Unauthenticated Image File Access Outside Gallery Directory

A path traversal vulnerability has been identified in novaGallery, a PHP image gallery application, affecting versions through 2.1.0. This vulnerability allows unauthenticated users to read image files located outside the designated gallery root directory. The issue arises because the application fails to properly sanitize and validate file paths, enabling users to manipulate the request to access files on the server's filesystem via relative path traversal. The vulnerability has been patched in version 2.1.1.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass the gallery's directory restrictions and access image files stored outside the intended directory. While the vulnerability primarily affects files recognized as images by the application, it could potentially lead to the exposure of sensitive or private photos stored elsewhere on the server, provided they are accessible through relative paths.

Reproduction

The vulnerability can be reproduced by sending a request to the '/album/' route with a path traversal payload that includes '..' segments, which will return a directory listing of files from outside the gallery root. Following this, a request can be made to the '/storage/cache/' route with a crafted path that includes another '..' segment traversal, targeting an image file outside the gallery directory. The server will respond with a '200 OK' status and the requested image, demonstrating successful exploitation of the path traversal vulnerability.

Remediation

Users are advised to update to novaGallery version 2.1.1, where this vulnerability has been fixed.