what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Responsive Image Gallery 1.1.8 SQL Injection

WordPress Responsive Image Gallery 1.1.8 SQL Injection
Posted Sep 21, 2017
Authored by Manuel Garcia Cardenas

WordPress Responsive Image Gallery plugin version 1.1.8 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2017-14125
SHA-256 | 5d6d5bc59c4b6c46cabe5218a99c3da34389ba51b7860a91a33705fcbb5eda0b

WordPress Responsive Image Gallery 1.1.8 SQL Injection

Change Mirror Download
=============================================
MGC ALERT 2017-006
- Original release date: September 01, 2017
- Last revised: September 25, 2017
- Discovered by: Manuel GarcAa CA!rdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2017-14125
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Responsive Image Gallery 1.1.8 - SQL Injection

II. BACKGROUND
-------------------------
Gallery is very important tool for any website. The most of users have
Galleries on their website. Our Gallery plugin allow you to display your
Galleries with awesome views and animation effects, so you need to try our
plugin.

III. DESCRIPTION
-------------------------
This bug was found using the portal in the files:

/gallery-album/includes/frontend/gallery_class.php
$theme = $wpdb->get_row( "SELECT * FROM
".wpdevart_gallery_databese::$table_names['theme']." WHERE `id` =
$theme_id" );
/gallery-album/includes/admin/gallery_theme.php
$theme_params = $wpdb->get_row('SELECT * FROM
'.wpdevart_gallery_databese::$table_names['theme'].' WHERE id='.$id);

And when the query is executed, the parameter "id" it is not sanitized.

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code.

IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from SQL Injection.

Union SQL Injection POC:

/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=-1+UNION+ALL+SELECT+NULL,@@VERSION,NULL,NULL--

Blind SQL Injection POC:

/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=1+and+1=0

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Responsive Image Gallery 1.1.8

VII. SOLUTION
-------------------------
Vendor release a new version 1.2.1
https://downloads.wordpress.org/plugin/gallery-album.1.2.1.zip

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/gallery-album/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
September 01, 2017 1: Initial release
September 25, 2017 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
September 01, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
September 01, 2017 2: Send to vendor
September 22, 2017 3: Vendor fix the vulnerability and release a new version
September 25, 2017 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close