Title: SQL Injection in easy2map-photos wordpress plugin v1.09 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-06-08 |
[CVE-2015-4615][CVE-2015-4617] |
Download Site: https://wordpress.org/plugins/easy2map-photos |
Vendor: |
Vendor Notified: 2015-06-08 |
Vendor Contact: https://profiles.wordpress.org/stevenellis/ |
Advisory: http://www.vapid.dhs.org/advisory.php?v=130http://www.vapid.dhs.org/advisory.php?v=130 |
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries. |
Vulnerability: The following lines in Functions.php are vulnerable to SQL injection attack because they are not parameterized or sanitizing user input.
48 $wpdb->query(sprintf("UPDATE $mapsTable
49 SET PolyLines = '%s'
50 WHERE ID = '%s';", $PolyLines, $mapID));
218 $wpdb->query(sprintf("
219 UPDATE $mapsTable
220 SET TemplateID = '%s',
221 MapName = '%s',
222 Settings = '%s',
223 CSSValues = '%s',
224 CSSValuesPhoto = '%s',
225 CSSValuesMap = '%s',
226 MapHTML = '%s',
227 IsActive = 1
228 WHERE ID = %s;",
229 $_REQUEST['mapTemplateName'],
230 $_REQUEST['mapName'],
231 urldecode($_REQUEST['mapSettingsXML']),
232 urldecode($_REQUEST["parentCSSXML"]),
233 urldecode($_REQUEST["photoCSSXML"]),
234 urldecode($_REQUEST["mapCSSXML"]),
235 urldecode($_REQUEST["mapHTML"]), $mapID));
238 //this is a map insert
239 if (!$wpdb->query(sprintf("
240 INSERT INTO $mapsTable(
241 TemplateID,
242 MapName,
243 DefaultPinImage,
244 Settings,
245 LastInvoked,
246 PolyLines,
247 CSSValues,
248 CSSValuesPhoto,
249 CSSValuesMap,
250 MapHTML,
251 IsActive
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);",
253 $_REQUEST['mapTemplateName'],
254 $_REQUEST['mapName’]
331 $wpdb->query(sprintf("
332 UPDATE $mapsTable
333 SET MapName = '%s'
334 IsActive = 1
335 WHERE ID = %s;",
336 $_REQUEST['mapName'],
337 $mapID));
,
Also
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:
if (!file_exists($imagesDirectory)) {
mkdir($imagesDirectory);
}
CVE-2015-4615 SQL Injection
CVE-2015-4617 Path traversal |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |