header-logo
Suggest Exploit
vendor:
GRAND Flash Album Gallery WordPress Plugin
by:
High-Tech Bridge SA - Ethical Hacking & Penetration Testing
5.5
CVSS
MEDIUM
SQL Injection and File Content Disclosure
89 (SQL Injection) and 200 (File Content Disclosure)
CWE
Product Name: GRAND Flash Album Gallery WordPress Plugin
Affected Version From: 0.55
Affected Version To: 0.55
Patch Exists: YES
Related CWE: N/A
CPE: a:codeasily:grand_flash_album_gallery_wordpress_plugin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

SQL Injection and File Content Disclosure in GRAND Flash Album Gallery WordPress Plugin

The vulnerability exists due to failure in the "/wp-content/plugins/flash-album-gallery/lib/hitcounter.php" script to properly sanitize user-supplied input in "pid" variable. Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database. The vulnerability also exists due to failure in the "/wp-content/plugins/flash-album-gallery/admin/news.php" script to properly sanitize user-supplied input in "want2Read" variable. Successful exploitation of this vulnerability allows remote attacker to obtain content of arbitrary file accessible within the context of vulnerable application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also be configured to prevent access to sensitive files.
Source

Exploit-DB raw data:

Vulnerability ID: HTB22870
Reference: http://www.htbridge.ch/advisory/sql_injection_in_grand_flash_album_galle
ry_wordpress_plugin.html
Product: GRAND Flash Album Gallery wordpress plugin
Vendor: Sergey Pasyuk ( http://codeasily.com/ ) 
Vulnerable Version: 0.55
Vendor Notification: 22 February 2011 
Vulnerability Type: SQL Injection
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "/wp-content/plugins/flash-album-gallery/lib/hitcounter.php" script to properly sanitize user-supplied input in "pid" variable.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.

The following PoC is available:

http://[host]/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?
pid=SQL_CODE_HERE

Vulnerability ID: HTB22871
Reference: http://www.htbridge.ch/advisory/file_content_disclosure_in_grand_flash_a
lbum_gallery_wordpress_plugin.html
Product: GRAND Flash Album Gallery wordpress plugin
Vendor: Sergey Pasyuk ( http://codeasily.com/ ) 
Vulnerable Version: 0.55
Vendor Notification: 22 February 2011 
Vulnerability Type: File Content Disclosure
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
The vulnerability exists due to failure in the "/wp-content/plugins/flash-album-gallery/admin/news.php" script to properly sanitize user-supplied input in "want2Read" variable.
Successful exploitation of this vulnerability allows remote attacker to obtain content of arbitrary file accessible within the context of vulnerable application.

The following PoC is available:

<form action="http://[host]/wp-content/plugins/flash-album-gallery/admin/news.
php" method="post" name="main" >
<input type="hidden" name="want2Read" value="../../../../wp-config.php" />
<input type="submit" value="submit" name="submit" />
</form>

Navigation

Suggest Exploit

Services By CQR