| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130710235844.GB16039@kludge.henri.nerv.fi>
Date: Thu, 11 Jul 2013 02:58:44 +0300
From: Henri Salo <henri@...v.fi>
To: iedb.team@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Wordpress wp-private-messages Plugin Sql Injection vulnerability
On Sat, Jun 29, 2013 at 03:02:37PM +0000, iedb.team@...il.com wrote:
> # Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability
> # Software Link : http://wordpress.org/plugins/wp-private-messages/
>
> # http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
Could not reproduce. Could you give us working PoC, thanks. I get error "Hack
Attempt: You don't allowed to reply this message!"
327 function wpu_reply_pm() {
328 global $current_user, $wpdb, $wpulang;
329 $msgid = $_GET["msgid"];
330 if(!$msgid || $msgid == "") { echo "Error while messaging!"; return; }
331 $pm = $wpdb->get_row("SELECT * FROM $wpdb->prefix".private_messages." WHERE id = $msgid", ARRAY_A);
332
333 if($pm['rcpid'] != $current_user->ID) { echo "<p>".__('Hack Attempt: You don\'t allowed to reply this message!', $wpulang)."</p>"; return; }
I tested with version 1.0.1
> # Dem0 :
> # http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
> # http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]
Live sites as demo to SQL injection behind WordPress login, err what?
Also please note: This plugin hasn't been updated in over 2 years. It may no
longer be maintained or supported and may have compatibility issues when used
with more recent versions of WordPress.
---
Henri Salo
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists