lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-id: <D28AE324.2EF4B%larry0@me.com> Date: Mon, 07 Dec 2015 07:18:52 -0500 From: Larry Cashdollar <larry0@...com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Command Injection in cool-video-gallery v1.9 Wordpress plugin Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-11-29 Download Site: https://wordpress.org/plugins/cool-video-gallery/ Vendor: https://profiles.wordpress.org/praveen-rajan/ Vendor Notified: 2015-11-30 Vendor Contact: https://wordpress.org/support/topic/command-injection-vulnerability-in-v19? replies=1#post-7721994 Description: Cool Video Gallery is a Video Gallery plugin for WordPress with option to upload videos, attach media files, add Youtube videos and manage them in multiple galleries. Automatic preview image generation for uploaded videos using FFMPEG library available. Option provided to upload images for video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video files presently. Vulnerability: If any of the arguments being passed to $command are sourced from user input, we can inject commands to be passed to the shell via exec() on line 714. In cool-video-gallery/lib/core.php lines 703-714: 703 $gallery = videoDB::find_gallery($video->galleryid); 704 $video_input = $gallery->abspath . '/' . $video->filename; 705 $new_target_filename = $video->alttext . '.png'; 706 $new_target_file = $gallery->abspath . '/thumbs/thumbs_' . $new_target_filename; 707 708 if($video->video_type == $cool_video_gallery->video_type_media){ 709 $command = $options['cvg_ffmpegpath'] . " -i '$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s ".$thumb_width ."x".$thumb_height." '$new_target_file'"; 710 }else { 711 $command = $options['cvg_ffmpegpath'] . " -i '$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s " .$thumb_width ."x".$thumb_height." '$new_target_file'"; 712 } 713 714 exec ( $command ); CVEID: 2015-7527 Exploit Code: Screen shots are located at below URL. Advisory: http://www.vapidlabs.com/advisory.php?v=158
Powered by blists - more mailing lists