That's right Wordpresss kiddies, two new vulnerabilities, and they're pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1.
The vulnerability for WP-Cal exists in:
/wp-content/plugins/wp-cal/functions/editevent.php
and here's what's vulnerable:
$id = $_GET['id'];
$event = $wpdb->get_row("SELECT * FROM $table WHERE id = $id");
Why? No sanitization of $id. Since id in the DB is a numerical value, only numbers should get passed in $id. I'm no PHP expert, but I'm sure this is an easy fix. If you're not a PHP expert, either, I highly recommend you disable and remove this plugin immediately.
Next up, fGallery 2.4.1. The hole exists in:
/wp-content/plugins/fgallery/fim_rss.php
and here's what's vulnerable:
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images = $wpdb->get_results("SELECT * FROM $imgs
WHERE cat = $_GET[album] AND status = 'include'");
Again, there's a lack of proper sanitization. Can you spot the hole?
I'd love to provide a fix, but since neither of these plugins are used on Nullamatix, I'll leave the patching up to those bold enough to use this stuff. If you're feeling generous and come across a fix, feel free to share in the comments. In the mean time, deactivate and remove these plugins until a patch or fix is released. Yet another potential for your non-vulnerable site hosted on a shared provider to get r00ted. Happy blogging!
Word Count: 282
Tags: exploit, php, plugin, sql injection, vulnerability
