Support » Plugin: WP Photo Album Plus » WP Photo Album Plus

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Jacob N. Breetvelt

    (@opajaap)

    Could you please explain the cue of the problem?

    Plugin Author Jacob N. Breetvelt

    (@opajaap)

    adding the line $id=substr($id,3); will definitely give you the wrong results when the album requested is not 0 …

    I also would like to know why you think the code is vulnerable as you say in the patch file.

    It’s a dos(Denial of Service) attack. I made a video to show you what is happening on the server. I’m waiting for it to convert then will post it to you tube. If a attacker executes this command

    wget “http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1”

    X times the mysql server will sit there and grind out the benchmark command, causing high cpu load and eating up the resources on the web server. Making everyone else’s web experience less pleasurable. Possibly blocking the page from loading for other people or causing the other pages to not load for other people.

    That patch is totally bunk. Sorry.

    http://www.youtube.com/watch?v=8Td3YjC618Q – this video will show you what is happening.

    This is where the SQL is being injected at. opps sorry.

    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
            if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
            else $result = '';
    echo $result;
            return $result;

    This change prevents the injection

    function wppa_get_album_title_linktype($alb) {
    global $wpdb;
            $alb=intval($alb);
            if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
            else $result = '';
    echo $result;
            return $result;
    }

    Using prepare there would be a better patch:

    if ( $alb ) $result = $wpdb->get_var( $wpdb->prepare( "SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = %s LIMIT 1", $alb ) );

    Thanks 🙂

    Plugin Author Jacob N. Breetvelt

    (@opajaap)

    Fixed in 4.2.0

    Plugin Author Jacob N. Breetvelt

    (@opajaap)

    And retrofitted in 4.1.1 in the tags dir.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘WP Photo Album Plus’ is closed to new replies.