Tuesday 28 February 2017
0 comments
18:34:00

SQL Injection Vulnerability Found in Wordpress Plugin

SQL Injection Vulnerability Found in Wordpress Plugin

SQL Injection Vulnerability Found in Wordpress Plugin


New SQL vulnerability found by Sucuria security researchers in NextGen Gallery of Wordpress plugin. Security researchers was working on multiple open source projects for security issues and discover new Vulnerability.

There are two different scenarios.
1.If you are using a NextGen Basic TagCloud Gallery on your site.
2.If you are allowing users to submit posts to be reviewed.

According to SUCURIA the Vulnerability Work follows

Malicious user injects the following input into the format string/query:
[any_text1]%1$%s[any_text2]

Which will make the query look like this:
[querycode1][any_text1]%1$%s[any_text2][querycode2]

When passed to the prepare method, it will be changed to:
[querycode1][any_text1]%1$'%s'[any_text2][querycode2]

(e.g. %s will become ‘%s’)

And then, after the resulting format string passed through the vsprintf function, the resulting SQL query will have the following form:

[querycode1][any_text1][first_argument]'[any_text2][querycode2]

This means we will have an extra  ‘ remaining. This breaks our string’s single-quote sequence and makes our raw [any_text2] input part of the SQL query itself.

The final attack payloads (using the TagCloud method) would look like the following:

http://target.url/2017/01/17/new-one/nggallery/tags/test%251%24%25s))%20or%201=1%23

or

http://target.url/2017/01/17/new-one/nggallery/tags/test%251%24%25s))%20or%201=2%23

What to do?


  • NextGen gallery patch version have updated to 2.1.79.
  • Immidiately update the plugin.

0 comments:

Post a Comment

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top