Support » Plugin: Cool Video Gallery » Command Injection vulnerability in v1.9

  • Resolved larry0

    (@larry0)


    Title: Command Injection in cool-video-gallery v1.9 WordPress plugin
    Author: Larry W. Cashdollar, @_larry0
    Date: 2015-11-29
    Download Site: https://wordpress.org/plugins/cool-video-gallery/
    Vendor: https://profiles.wordpress.org/praveen-rajan/
    Advisory: http://www.vapidlabs.com/advisory.php?v=158
    Description: Cool Video Gallery is a Video Gallery plugin for WordPress with option to upload videos, attach media files, add Youtube videos and manage them in multiple galleries. Automatic preview image generation for uploaded videos using FFMPEG library available. Option provided to upload images for video previews. Supports ‘.flv’, ‘.mp4’, ‘.mov’, ‘.m4v’ and ‘.mp3’ video files presently.
    Vulnerability:
    If any of the arguments being passed to $command are sourced from user input,
    I believe we can inject commands to be passed to the shell via exec() on line
    714.

    In cool-video-gallery/lib/core.php lines 703-714:

    703 $gallery = videoDB::find_gallery($video->galleryid);
    704 $video_input = $gallery->abspath . ‘/’ . $video->filename;
    705 $new_target_filename = $video->alttext . ‘.png’;
    706 $new_target_file = $gallery->abspath . ‘/thumbs/thumbs_’ . $new_target_filename;
    707
    708 if($video->video_type == $cool_video_gallery->video_type_media){
    709 $command = $options[‘cvg_ffmpegpath’] . ” -i ‘$video->filename’ -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s “.$thumb_width .”x”.$thumb_height.” ‘$new_target_file'”;
    710 }else {
    711 $command = $options[‘cvg_ffmpegpath’] . ” -i ‘$video_input’ -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s ” .$thumb_width .”x”.$thumb_height.” ‘$new_target_file'”;
    712 }
    713
    714 exec ( $command );

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Command Injection vulnerability in v1.9’ is closed to new replies.