Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Advisories/photo-gallery.1.3.50-SQL
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
22 lines (16 sloc)
1.05 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # wordpress plugin photo-gallery.1.3.50 SQL Injection vulnerability | |
| ## Description: | |
| Gallery is a fully responsive WordPress gallery plugin with advanced functionality. | |
| Create 100% responsive FREE WordPress photo gallery in minutes. Easy to customize and various views. | |
| There is a SQL injection vulnerability due to insufficient checking about input data. | |
| ## Details | |
| Details will be published after the release of vendor. | |
| ## Credit | |
| ADLab of VenusTech | |
| ## Details(Public) | |
| The vendor released a update to fix this issue. Here is the details: | |
| /photo-gallery/photo-gallery.php,line 141 will call function bwg_edit_tag. | |
| bwg_edit_tag() is located in photo-gallery/photo-gallery.php, there is a function named edit_tag(). | |
| edit_tag() is located in photo-gallery/admin/controllers/BWGControllerTags_bwg.php, $_REQUEST[‘tag_id’] is passed to build a SQL directly, | |
| so this will cause a int-type sql-injection vulnerability. | |
| Additional: function bwg_edit_tag() has a checking about user permission, so administrator permission is required to trigger this vulnerability. |