What IS WP PhotoContest? The readme states:
This plugin permits you to create a ‘voting for photos-contest’ from the WordPress admin panel Subscribed users can uploads photos and everyone else can vote for the uploaded photos (sic).
The author could rephrase that as follows:
This plugin permits everyone to inject SQL commands into the database and to do a cross site scripting attack.
You most certainly do not want to install this plugin even if you are in the mood for a photo contest.
I did not review the whole plugin, just login.php where I have found the XSS leak and view.php as well as viewimg.php where the SQL injection leaks are located. Most propably there are even more leaks as this plugin seems to be from an inexperienced PHP programmer.
The author has been notified at UTC 1022. Information applies to version 1.0 and 1.0.1.
Details
The XSS leak is all too common:
$frompost_id = $_REQUEST['prid'];
...
<a href="<?php echo bloginfo('wpurl'); ?>/wp-content/plugins/wp-photocontest/login.php?post_id=<?php echo $frompost_id; ?>"><?php _e('Log In', 'wp-photocontest') ?></a>
There it is. A classic.
SQL injection in view.php and viewimg.php:
$post_id = $_REQUEST['prid'];
...
$q1 = "SELECT contest_id, start_date, end_date, contest_path, contest_name, intro_text, num_photo FROM ".$wpdb->prefix."photocontest_admin where post_id=$post_id";
$out = $wpdb->get_row($q1);
This is also a classic and a beginners mistake as well. There is no security whatsoever. Don’t consider this plugin to be safe when the mentioned leaks have been fixed!
What to do for plugin users
Deactivate and remove WP-PhotoContest immediately and wait for a revised plugin.
This issue has been resolved
Leave a Reply
You must be logged in to post a comment.