WordPress?酷视频库1.9?命令注入漏洞

pasckr

---

    WordPress 酷视频库1.9 命令注入漏洞
#本漏洞来自于 东方信息安全网0day漏洞库网站!转载请注明！ 　　Description:
　　WordPress Cool Video Gallery plugin version 1.9 suffers from a remote command injection vulnerability.
　　Title: Command Injection in cool-video-gallery v1.9 Wordpress plugin
　　Author: Larry W. Cashdollar, @_larry0
　　Download Site: https://wordpress.org/plugins/cool-video-gallery/
　　Vendor: https://profiles.wordpress.org/praveen-rajan/
　　Vendor Notified: 2015-11-30
　　Vendor Contact:
　　https://wordpress.org/support/topic/command-injection-vulnerability-in-v19?r
　　eplies=1#post-7721994
　　Description: Cool Video Gallery is a Video Gallery plugin for WordPress with
　　option to upload videos, attach media files, add Youtube videos and manage
　　them in multiple galleries. Automatic preview image generation for uploaded
　　videos using FFMPEG library available. Option provided to upload images for
　　video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video
　　files presently.
　　Vulnerability:
　　If any of the arguments being passed to $command are sourced from user
　　input, we can inject commands to be passed to the shell via exec() on line
　　714.
　　In cool-video-gallery/lib/core.php lines 703-714:
　　703                 $gallery = videoDB::find_gallery($video->galleryid);
　　704                 $video_input = $gallery->abspath . '/' .
　　$video->filename;
　　705                 $new_target_filename = $video->alttext . '.png';
　　706                 $new_target_file = $gallery->abspath .
　　'/thumbs/thumbs_' . $new_target_filename;
707  
　　708                 if($video->video_type ==
　　$cool_video_gallery->video_type_media){
　　709                         $command = $options['cvg_ffmpegpath'] . " -i
　　'$video->filename' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5      -s
　　".$thumb_width ."x".$thumb_height." '$new_target_file'";
　　710                 }else {
　　711                         $command = $options['cvg_ffmpegpath'] . " -i
　　'$video_input' -vcodec mjpeg -vframes 1 -an -f rawvideo -ss 5 -s "
　　.$thumb_width ."x".$thumb_height." '$new_target_file'";
　　712                 }
713  
　　714                 exec ( $command );
　　CVEID: 2015-7527
　　Exploit Code:
　　Screen shots are located at below URL.
　　[[ Packet StormEditor Note: In "Width of preview image:" put 100;id>/tmp/p and then you should see the output in /tmp/p ]]
#This Exploit From Oistc Exploit Databases Website!