Title: SQL Injection in easy2map wordpress plugin v1.24 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-06-08 |
[CVE-2015-4614][CVE-2015-4616] |
Download Site: https://wordpress.org/plugins/easy2map |
Vendor: |
Vendor Notified: 2015-06-08 |
Vendor Contact: https://profiles.wordpress.org/stevenellis/ |
Advisory: http://www.vapid.dhs.org/advisory.php?v=131http://www.vapid.dhs.org/advisory.php?v=131 |
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity. |
Vulnerability: The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
62 $wpdb->query(sprintf("UPDATE $mapsTable
63 SET PolyLines = '%s'
64 WHERE ID = '%s';", $PolyLines, $mapID));
.
.
.
132 $wpdb->query(sprintf("
133 UPDATE $mapsTable
134 SET TemplateID = '%s',
135 MapName = '%s',
136 Settings = '%s',
137 LastInvoked = CURRENT_TIMESTAMP,
138 CSSValues = '%s',
139 CSSValuesList = '%s',
140 CSSValuesHeading = '%s',
141 MapHTML = '%s',
142 IsActive = 1
143 WHERE ID = %s;",
144 $Items['mapTemplateName'],
145 $Items['mapName'],
146 urldecode($Items['mapSettingsXML']),
147 urldecode($Items["mapCSSXML"]),
148 urldecode($Items["listCSSXML"]),
149 urldecode($Items["headingCSSXML"]),
150 urldecode($Items["mapHTML"]), $mapID));
151 } else {
152
153 //this is a map insert
154 if (!$wpdb->query(sprintf("
155 INSERT INTO $mapsTable(
156 TemplateID,
157 MapName,
158 DefaultPinImage,
159 Settings,
160 LastInvoked,
161 PolyLines,
162 CSSValues,
163 CSSValuesList,
164 CSSValuesHeading,
165 MapHTML,
166 IsActive
167 ) VALUES ('%s', '%s', '%s', '%s',
168 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0);",
169 $Items['mapTemplateName'],
170 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/p ins/111.png",
171 urldecode($Items['mapSettingsXML']), '',
172 urldecode($Items["mapCSSXML"]),
173 urldecode($Items["listCSSXML"]),
174 urldecode($Items["headingCSSXML"]),
175 urldecode($Items["mapHTML"])))) {
176 die("Error!");
177 }
.
.
231 $wpdb->query(sprintf("
232 UPDATE $mapsTable
233 SET MapName = '%s',
234 LastInvoked = CURRENT_TIMESTAMP,
235 IsActive = 1
236 WHERE ID = %s;", $mapName, $mapID));
Path Traversal in Functions.php
221 $imagesDirectory = WP_CONTENT_DIR . "/uploads/";
if (!is_dir($imagesDirectory)) {
mkdir($imagesDirectory);
}
$imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/";
if (!is_dir($imagesDirectory)) {
mkdir($imagesDirectory);
}
$imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/";
if (!is_dir($imagesDirectory)) {
mkdir($imagesDirectory);
}
$imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/";
if (!is_dir($imagesDirectory)) {
mkdir($imagesDirectory);
254 }
CVE-2015-4614 for SQL injection
CVE-2015-4616 for Path traversal |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |