[FD] DefenseCode ThunderScan SAST Advisory: WordPress Huge-IT Video Gallery Plugin Security Vulnerability

DefenseCode ThunderScan SAST Advisory WordPress Huge-IT Video Gallery Plugin Security Vulnerability Advisory ID: DC-2017-01-009 Advisory Title: WordPress Huge-IT Video Gallery plugin SQL injection vulnerability Advisory URL: http://ift.tt/2rhPqdW Software: WordPress Huge-IT Video Gallery plugin Language: PHP Version: 2.0.4 and below Vendor Status: Vendor contacted, update released Release Date: 2017/05/24 Risk: High 1. General Overview =================== During the security audit of Huge-IT Video Gallery plugin for WordPress CMS, security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://ift.tt/Vn2J4r 2. Software Overview ==================== According to the developers, Gallery Video plugin was created and specifically designed to show video links in unusual splendid gallery types supplemented of many gallery options. According to wordpress.org, it has more than 40,000 active installs. Homepage: http://ift.tt/1rHN019 http://ift.tt/2rhvXtL 3. Vulnerability Description ================================== During the security analysis, ThunderScan discovered SQL injection vulnerability in Huge-IT Video Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the attacker the vulnerable code is also directly exposed to attack vectors such as Cross Site request forgery (CSRF). 3.1 SQL injection Vulnerable Function: $wpdb->get_var( $query ); Vulnerable Variable: $_POST[‘cat_search’] Vulnerable URL: http://ift.tt/2rQWVWf Vulnerable Body: cat_search=DefenseCode AND (SELECT * FROM (SELECT(SLEEP(5)))DC) File: gallery-video\includes\admin\class-gallery-video-galleries.php

Source: Gmail -> IFTTT-> Blogger

from Blogger http://ift.tt/2qXMDnj


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s