Advisory #: 158
Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-11-29
CVE-ID:[CVE-2015-7527]
CWE: CWE-20 Input Validation
Download Site: https://wordpress.org/plugins/cool-video-gallery/
Vendor: https://profiles.wordpress.org/praveen-rajan, fixed v2.0
Vendor Notified: 2015-11-30
Vendor Contact: https://wordpress.org/support/topic/command-injection-vulnerability-in-v19?replies=1#post-7721994
Advisory: http://www.vapidlabs.com/advisory.php?v=158
Description: Cool Video Gallery is a Video Gallery plugin for WordPress with option to upload videos, attach media files, add Youtube videos and manage them in multiple galleries. Automatic preview image generation for uploaded videos using FFMPEG library available. Option provided to upload images for video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video files presently.
Vulnerability:
If any of the arguments being passed to $command are sourced from user input, I believe we can inject commands to be passed to the shell via exec() on line 714. In cool-video-gallery/lib/core.php lines 703-714: 703 $gallery = videoDB::find_gallery($video->galleryid); 704 $video_input = $gallery->abspath . '/' . $video->filename; 705 $new_target_filename = $video->alttext . '.png'; 706 $new_target_file = $gallery->abspath . '/thumbs/thumbs_' . $new_target_filename; 707 708 if($video->video_type == $cool_video_gallery->video_type_media){ 709 $command = $options['cvg_ffmpegpath'] . " -i '$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s ".$thumb_width ."x".$thumb_height." '$new_target_file'"; 710 }else { 711 $command = $options['cvg_ffmpegpath'] . " -i '$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s " .$thumb_width ."x".$thumb_height." '$new_target_file'"; 712 } 713 714 exec ( $command );
Export: JSON TEXT XML
Exploit Code:
  1. See attached screen shots.
Screen Shots: [cool1.png][cool2.png]
Notes: