Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-11-29 Download Site: https://wordpress.org/plugins/cool-video-gallery/ Vendor: https://profiles.wordpress.org/praveen-rajan/ Vendor Notified: 2015-11-30 Vendor Contact: https://wordpress.org/support/topic/command-injection-vulnerability-in-v19?r eplies=1#post-7721994 Description: Cool Video Gallery is a Video Gallery plugin for WordPress with option to upload videos, attach media files, add Youtube videos and manage them in multiple galleries. Automatic preview image generation for uploaded videos using FFMPEG library available. Option provided to upload images for video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video files presently. Vulnerability: If any of the arguments being passed to $command are sourced from user input, we can inject commands to be passed to the shell via exec() on line 714. In cool-video-gallery/lib/core.php lines 703-714: 703 $gallery = videoDB::find_gallery($video->galleryid); 704 $video_input = $gallery->abspath . '/' . $video->filename; 705 $new_target_filename = $video->alttext . '.png'; 706 $new_target_file = $gallery->abspath . '/thumbs/thumbs_' . $new_target_filename; 707 708 if($video->video_type == $cool_video_gallery->video_type_media){ 709 $command = $options['cvg_ffmpegpath'] . " -i '$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s ".$thumb_width ."x".$thumb_height." '$new_target_file'"; 710 }else { 711 $command = $options['cvg_ffmpegpath'] . " -i '$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s " .$thumb_width ."x".$thumb_height." '$new_target_file'"; 712 } 713 714 exec ( $command ); CVEID: 2015-7527 Exploit Code: Screen shots are located at below URL. [[ Packet StormEditor Note: In "Width of preview image:" put 100;id>/tmp/p and then you should see the output in /tmp/p ]] Advisory: http://www.vapidlabs.com/advisory.php?v=158