Is this input safe enough?
Is it sanitized?
Do we follow any framework-specific rules and best practices?
nextgen_gallery_display/package.module.nextgen_gallery_display.php From the source code, we notice the $container_ids string is created from tag input and its values are not properly sanitized. They are safe from SQL injection but wouldn’t prevent arbitrary format string directives/input from being inserted, which may cause issues with the WordPress database abstraction prepare() method. ###$wpdb->prepare and sprintf From the prepare method’s code, we notice that few changes are performed on the original SQL code. When %s is found, it will replace it with ‘%s’. Also we see that after changes are performed, it is passes to the vsprintf function, which means any valid format string directives we may have injected will be processed. From PHP’s sprintf function documentation, we know that swapping arguments could take place, and when improperly sanitized inputs are added to the format string, it could lead into some issues like the following: A malicious user injects the following input into the format string/query:
[any_text1]%1$%s[any_text2]Which will make the query look like this:
[querycode1][any_text1]%1$%s[any_text2][querycode2]When passed to the prepare method, it will be changed to:
[querycode1][any_text1]%1$'%s'[any_text2][querycode2](e.g. %s will become ‘%s’) And then, after the resulting format string passed through the vsprintf function, the resulting SQL query will have the following form:
[querycode1][any_text1][first_argument]'[any_text2][querycode2]This means we will have an extra ‘ remaining. This breaks our string’s single-quote sequence and makes our raw [any_text2] input part of the SQL query itself. ###Exploit Scenarios From the plugin’s source code, we found two places where this function would create the $container_ids string (necessary to get the exploit working):
When using the tag gallery shortcode, which requires a privileged authenticated user to perform the attack.
When accessing tags from a NextGEN Basic TagCloud gallery, which malicious visitors can do by modifying the gallery’s URL a bit (given such a gallery exists on the site).
http://target.url/2017/01/17/new-one/nggallery/tags/test%251%24%25s))%20or%201=2%23##In Conclusion This is quite a critical issue. If you’re using a vulnerable version of this plugin, update as soon as possible! In the event where you cannot update, we strongly recommend leveraging the Sucuri Firewall (or equivalent technology) to have the vulnerability patched virtually.