lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <c9a09d01003010803n5763e977reb1c4178090f3a8d@mail.gmail.com>
Date: Mon, 1 Mar 2010 17:03:51 +0100
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Wordpress plugin 'Analytics360'- authenticated
	user sql injection

Hi there,

I just noticed that authenticated users for the admin area of a wordpress
blog may inject code into database queries, when the plugin "Analytics360"
is activated.

### BASIC INFORMATION ###

Plugin Name: Analytics360
Plugin URI:
http://www.mailchimp.com/wordpress_analytics_plugin/?pid=wordpress&source=website
Author: Crowd Favorite
Author URI: http://crowdfavorite.com


### Affected Version ###

Analytics360 v.1.2
(and earlier Versions, I guess…)


### Risk ###

Well, I can't classify this. When you're not insane, you shouldn't have
people as admins, who inject code into the database queries.
But, when you have such admins, or your WP-Login is collected by phishing or
something alike, your db server and data may be at risk.
It all depends on your setup and permissions. However, the bug is easy to
fix and so it should be fixed.

http://codex.wordpress.org/Function_Reference/wpdb_Class#Run_Any_Query_on_the_Database


### DETAILS ###

The code contains this evil part in analytics360.php:
--------
  case 'get_wp_posts':
          add_filter('posts_where', create_function(
                  '$where',
                  'return $where." AND post_date >=
\''.$_GET['start_date'].'\' AND post_date < \''.$_GET['end_date'].'\'";'
          ));
--------


### Disclosure Timeline ###

You're the first to know.
Anyone is able to telnet crowdfavorite.com:80 ? As I'm writing this, the
site is unresponsive.
So this is what happens when you include a website as contact information:
you don't get the message.


Regards

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ