Multiple Vulnerabilities in GRAND Flash Album Gallery

ID HTB22870
Type htbridge
Reporter High-Tech Bridge
Modified 2011-02-22T00:00:00


High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in GRAND Flash Album Gallery which could be exploited to perform SQL injection attacks and gain access to sensitive information.

1) SQL injection vulnerabilities in GRAND Flash Album Gallery
The vulnerability exists due to input sanitation error in the "pid" parameter in wp-content/plugins/flash-album-gallery/lib/hitcounter.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://[host]/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?pid= SQL_CODE_HERE

2) Information disclosure vulnerability in GRAND Flash Album Gallery
The vulnerability exists due to insufficient of input data in the "want2Read" parameter in wp-content/plugins/flash-album-gallery/admin/news.php. A rmote attacker can create a specially crafted HTTP POST request and read arbitrary files on the target system.
Exploitation example:
<form action="http://[host]/wp-content/plugins/flash-album-gallery/admin/news.php" method="post" name="main" >
<input type="hidden" name="want2Read" value="../../../../wp-config.php" />
<input type="submit" value="submit" name="submit" />