# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in Unite Gallery Lite Wordpress Plugin v1.4.6 # Submitter: Nitin Venkatesh # Product: Unite Gallery Lite Wordpress Plugin # Product URL: http://ift.tt/1Buiw9G # Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')[CWE-89] # Affected Versions: v1.4.6 and possibly below. # Tested versions: v1.4.6 # Fixed Version: v1.5 # Link to code diff: http://ift.tt/1IkhgCG # Changelog: http://ift.tt/1gaS3ok # CVE Status: New & Unassigned ## Product Information: The Unite Gallery is all in one image and video gallery for WordPress. ## Vulnerability Description: The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible to CSRF. Additionally, the following parameters were found to be susceptible to SQLi - Form submitted to /wp-admin/admin-ajax.php: - data[galleryID] Form submitted to /wp-admin/admin.php: - galleryid - id ## Proof of Concept:
CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6
CSRF - Create Gallery
CSRF + SQLi - Update Gallery
CSRF - Add Items
CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)
CSRF + SQLi - Action buttons
## Solution: Upgrade to v1.5 or higher ## Disclosure Timeline: 2015-06-06 - Discovered. Reported to developer. 2015-06-10 - Updated version released. 2015-07-25 - Publishing disclosure on FD mailing list ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment