Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLarry W. CashdollarPACKETSTORM:134626
HistoryDec 03, 2015 - 12:00 a.m.

WordPress Cool Video Gallery 1.9 Command Injection

2015-12-0300:00:00
Larry W. Cashdollar
packetstormsecurity.com
20

0.054 Low

EPSS

Percentile

93.2%

JSON
`  
Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-11-29  
Download Site: https://wordpress.org/plugins/cool-video-gallery/  
Vendor: https://profiles.wordpress.org/praveen-rajan/  
Vendor Notified: 2015-11-30  
Vendor Contact:   
https://wordpress.org/support/topic/command-injection-vulnerability-in-v19?r  
eplies=1#post-7721994  
Description: Cool Video Gallery is a Video Gallery plugin for WordPress with  
option to upload videos, attach media files, add Youtube videos and manage  
them in multiple galleries. Automatic preview image generation for uploaded  
videos using FFMPEG library available. Option provided to upload images for  
video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video  
files presently.  
Vulnerability:  
If any of the arguments being passed to $command are sourced from user  
input, we can inject commands to be passed to the shell via exec() on line  
714.  
  
In cool-video-gallery/lib/core.php lines 703-714:  
  
703 $gallery = videoDB::find_gallery($video->galleryid);  
704 $video_input = $gallery->abspath . '/' .  
$video->filename;  
705 $new_target_filename = $video->alttext . '.png';  
706 $new_target_file = $gallery->abspath .  
'/thumbs/thumbs_' . $new_target_filename;  
707   
708 if($video->video_type ==  
$cool_video_gallery->video_type_media){  
709 $command = $options['cvg_ffmpegpath'] . " -i  
'$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s  
".$thumb_width ."x".$thumb_height." '$new_target_file'";  
710 }else {  
711 $command = $options['cvg_ffmpegpath'] . " -i  
'$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s "  
.$thumb_width ."x".$thumb_height." '$new_target_file'";  
712 }  
713   
714 exec ( $command );  
CVEID: 2015-7527  
Exploit Code:  
Screen shots are located at below URL.  
  
[[ Packet StormEditor Note: In "Width of preview image:" put 100;id>/tmp/p and then you should see the output in /tmp/p ]]  
  
Advisory: http://www.vapidlabs.com/advisory.php?v=158  
  
  
`

Related

cvelist 1
cve 1
prion 1
wpvulndb 1
patchstack 1
nvd 1
zdt 1
cvelist
cvelist
CVE-2015-7527
2015-12-17 19:00:00
cve
cve
CVE-2015-7527
2015-12-17 19:59:04
prion
prion
Input validation
2015-12-17 19:59:00
wpvulndb
wpvulndb
Cool Video Gallery <= 1.9 - Authenticated Comm& Injection
2015-12-02 00:00:00
patchstack
patchstack
WordPress Cool Video Gallery Plugin <= 1.9 - Command Injection
2015-09-29 00:00:00
nvd
nvd
CVE-2015-7527
2015-12-17 19:59:04
zdt
zdt
WordPress Cool Video Gallery 1.9 Command Injection Vulnerability
2015-12-04 00:00:00

0.054 Low

EPSS

Percentile

93.2%

JSON
Related for PACKETSTORM:134626
cvelist1cve1prion1wpvulndb1patchstack1nvd1zdt1