Title: Blind SQL Injection and persistent XSS in Wordpress plugin image-gallery-with-slideshow v1.5.2 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-04-01 |
CVE-ID:[CVE-2017-1002011][CVE-2017-1002012][CVE-2017-1002013][CVE-2017-1002014][CVE-2017-1002015] |
CWE: |
Download Site: https://wordpress.org/plugins/image-gallery-with-slideshow/ |
Vendor: http://www.anblik.com/ |
Vendor Notified: 2017-04-01 |
Vendor Contact: https://twitter.com/anblik |
Advisory: http://www.vapidlabs.com/advisory.php?v=189 |
Description: Image Gallery with Slideshow is a full integrated Image Gallery and Slideshow plugin for WordPress. |
Vulnerability: CVE-2017-1002011:
There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries / images and inject javascript into the database.
145 <td><a class="row-title" title="Edit" href="<?php echo bloginfo('url');?>/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=<?php echo $value->gallery_id;?>"><?php echo $value->gallery_name;?></a></td>
146 <td> <?php echo $value->gallery_description;?></td>
CVE-2017-1002012:
In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement:
173 if($_REQUEST['val'] == 'view')
174 {
175 $path_value = get_combo_path_value();
176 $id = $_REQUEST['gid'];
177 global $wpdb;
178 $table_prefix = $wpdb->prefix;
179 $result = $wpdb->get_results("SELECT ig.gallery_name,ii.image_id,ii.original_name,ii.image_name,ii.gallery_id,ii.image_title,ii.link_url,ii.image_description FROM `".$table_prefix."combo_gallery` AS ig,`".$table_prefix."combo_image` AS ii WHERE ig.gallery_ id=ii.gallery_id AND ii.gallery_id =".$id);
255 if($_REQUEST['val'] == 'edit')
256 {
257 $id = $_REQUEST['gid'];
258 global $wpdb;
259 $table_prefix = $wpdb->prefix;
.
.
.
270 $edit_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_gallery` WHERE gallery_id = ".$id);
CVE-2017-1002013:
Blind SQL Injection via imgid parameter.
301 if($_REQUEST['val'] == 'imgedit')
302 {
303 $id = $_REQUEST['imgid'];
304 $gid = $_REQUEST['gid'];
305 global $wpdb;
.
.
309 if(isset($_REQUEST['edit_image_submit']))
310 {
.
.
.
318 $edit_img_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id = ".$id);
361 if($_REQUEST['gval'] == 'delete')
362 {
363 $id = $_REQUEST['gid'];
364 global $wpdb;
365 $table_prefix = $wpdb->prefix;
366 $info = $_SERVER['DOCUMENT_ROOT'];
367 $path_value = get_combo_path_value();
368 $select_img_query_result = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE gallery_id=".$id);
384 if($_REQUEST['ival'] == 'delete')
385 {
386 $path_value = get_combo_path_value();
387 $id = $_REQUEST['gid'];
388 global $wpdb;
389 $table_prefix = $wpdb->prefix;
390 $info = $_SERVER['DOCUMENT_ROOT'];
391 $select_img_query_result1 = $wpdb->get_results("SELECT * FROM `".$table_prefix."combo_image` WHERE image_id=".$id);
CVE-2017-1002014:
Blind SQL Injection via gallery_name parameter.
422 if(isset($_POST['gallery_submit']))
423 {
424 $gallery_name = $_REQUEST['gallery_name'];
425 $insert_query_result = $wpdb->insert($table_prefix.'combo_gallery', array('gallery_name' => $gallery_name,'date' => current_time('mysql')));
426
CVE-2017-1002015:
Blind SQL Injection via selectMulGallery parameter.
492 if(isset($_POST['image_submit']))
493 {
494 $gallery_id = $_POST['selectMulGallery'];
495 $update_gallery_query = "UPDATE `".$table_prefix."combo_image` SET gallery_id=".$gallery_id." WHERE gallery_id = '0'";
496 $wpdb->query($update_gallery_query);
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: [gallerygs.png] |
Notes: 40k downloads. |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory