WordPress.org

Ready to get started?Download WordPress

Forums

WP Photo Album Plus
[resolved] WP Photo Album Plus (12 posts)

  1. skrapsrwt
    Member
    Posted 2 years ago #

    Theres also a patch included to fix. It's not a huge problem. mostly just a pain for system admin without mysql kill scripts in place on the server.

    http://packetstormsecurity.org/files/view/105822/wp-photo-album-plus-sqlinjection-4.1.1-poc-and-patch.txt

    http://wordpress.org/extend/plugins/wp-photo-album-plus/

  2. Jacob N. Breetvelt
    Member
    Plugin Author

    Posted 2 years ago #

    Could you please explain the cue of the problem?

  3. Jacob N. Breetvelt
    Member
    Plugin Author

    Posted 2 years ago #

    adding the line $id=substr($id,3); will definitely give you the wrong results when the album requested is not 0 ...

    I also would like to know why you think the code is vulnerable as you say in the patch file.

  4. skrapsrwt
    Member
    Posted 2 years ago #

    It's a dos(Denial of Service) attack. I made a video to show you what is happening on the server. I'm waiting for it to convert then will post it to you tube. If a attacker executes this command

    wget "http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1"

    X times the mysql server will sit there and grind out the benchmark command, causing high cpu load and eating up the resources on the web server. Making everyone else's web experience less pleasurable. Possibly blocking the page from loading for other people or causing the other pages to not load for other people.

  5. skrapsrwt
    Member
    Posted 2 years ago #

    That patch is totally bunk. Sorry.

  6. skrapsrwt
    Member
    Posted 2 years ago #

    http://www.youtube.com/watch?v=8Td3YjC618Q - this video will show you what is happening.

  7. skrapsrwt
    Member
    Posted 2 years ago #

    This is where the SQL is being injected at. opps sorry.

    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
            if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
            else $result = '';
    echo $result;
            return $result;
  8. skrapsrwt
    Member
    Posted 2 years ago #

    This change prevents the injection

    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
            $alb=intval($alb);
            if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
            else $result = '';
    echo $result;
            return $result;
    }
  9. Samuel Wood (Otto)
    Tech Ninja
    Posted 2 years ago #

    Using prepare there would be a better patch:

    if ( $alb ) $result = $wpdb->get_var( $wpdb->prepare( "SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = %s LIMIT 1", $alb ) );
  10. skrapsrwt
    Member
    Posted 2 years ago #

    Thanks :)

  11. Jacob N. Breetvelt
    Member
    Plugin Author

    Posted 2 years ago #

    Fixed in 4.2.0

  12. Jacob N. Breetvelt
    Member
    Plugin Author

    Posted 2 years ago #

    And retrofitted in 4.1.1 in the tags dir.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic