Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928879 (2018-07-26 19:03:23)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::exif_read_data
Risk _FILES
/photo-video-store/includes/functions/functions.php:3961 (show/hide source)
3941  
3942  /**
3943   * The function gets filename and file extention
3944   *
3945   * @param  string $filename - file path.
3946   * @param  string $type filename or extention.
3947   * @return string filename or extention
3948   */
3949  function pvs_get_file_info( $filename, $type )
3950  {
3951  	$fname = "";
3952  	$nf = explode( ".", $filename );
3953  	$fext = $nf[count( $nf ) - 1];
3954  
3955  	for ( $i = 0; $i < count( $nf ) - 1; $i++ )
3956  	{
3957  		if ( $fname != "" )
3958  		{
3959  			$fname .= ".";
3960  		}
3961 $fname .= $nf[$i];
3962 } 3963
Threat level 0

Callstack:

@FUNCTION::pvs_add_exif_to_database /photo-video-store/includes/functions/functions.php:3517 (show/hide source)
3497  		return $exif_text;
3498  	}
3499  }
3500  
3501  
3502  
3503  
3504  
3505  /**
3506   * The function saves exif info in the database
3507   *
3508   * @param  int $photo_id media ID.
3509   * @param  string $img photo path.
3510   */
3511  function pvs_add_exif_to_database( $photo_id, $img )
3512  {
3513  	global $db;
3514  
3515  	$com = "insert into photos_exif set photo_id=" . ( int )$photo_id;
3516  
3517 $exif_info = @exif_read_data( $img, 0, true );
3518 3519 $com .= ",FileName='" . pvs_result( @$exif_info["FILE"]["FileName"] ) . "'";
@FUNCTION::pvs_get_exif /photo-video-store/includes/functions/functions.php:3387 (show/hide source)
3367  			{
3368  				$exif_text .= "<b>Flash:</b> " . $dp->row["Flash"] . "<br>";
3369  			}
3370  
3371  			if ( $dp->row["FocalLength"] != "" )
3372  			{
3373  				$exif_text .= "<b>FocalLength:</b> " . $dp->row["FocalLength"] . "<br>";
3374  			}
3375  		}
3376  	} else
3377  	{
3378  		$flag = false;
3379  	}
3380  
3381  	if ( $flag == false )
3382  	{
3383  		$exif_info = @exif_read_data( $img, 0, true );
3384  
3385  		if ( $photo_id != 0 )
3386  		{
3387 pvs_add_exif_to_database( $photo_id, $img );
3388 } 3389
@INLINE::/photo-video-store/templates/exif.php /photo-video-store/templates/exif.php:48 (show/hide source)
28  
29  if ( $file_storage ) {
30  	if ( $file_name != "" ) {
31  		echo ( "<h2 class='exif_header'>EXIF:	</h2>" );
32  		echo ( pvs_get_exif( $file_name, false, ( int )$id ) );
33  	}
34  } else
35  {
36  	$sql = "select server1,id from " . PVS_DB_PREFIX .
37  		"media where id=" . ( int )$id;
38  	$rs->open( $sql );
39  	if ( ! $rs->eof ) {
40  		$sql = "select url from " . PVS_DB_PREFIX . "items where id_parent=" . ( int )$id;
41  		$dr->open( $sql );
42  		if ( ! $dr->eof ) {
43  			$img = pvs_upload_dir() . pvs_server_url( $rs->row["server1"] ) .
44  				"/" . $rs->row["id"] . "/" . $dr->row["url"];
45  			if ( file_exists( $img ) )
46  			{
47  				echo ( "<h2 class='exif_header'>EXIF:	</h2>" );
48 echo ( pvs_get_exif( $img, false, ( int )$id ) );
49 } 50 }