| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Mar 2010 17:27:12 +0100
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: Benji <me@...ji.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Wordpress plugin 'Analytics360'-
authenticated user sql injection
OK, well - before I get 10000 replies: the question was a rhetoric one.
2010/3/1 Benji <me@...ji.com>
> http://crowdfavorite.com/ loads fine here.
>
> On Mon, Mar 1, 2010 at 4:03 PM, Jan G.B. <ro0ot.w00t@...glemail.com>wrote:
>
>> Hi there,
>>
>> I just noticed that authenticated users for the admin area of a wordpress
>> blog may inject code into database queries, when the plugin "Analytics360"
>> is activated.
>>
>> ### BASIC INFORMATION ###
>>
>> Plugin Name: Analytics360
>> Plugin URI:
>> http://www.mailchimp.com/wordpress_analytics_plugin/?pid=wordpress&source=website
>> Author: Crowd Favorite
>> Author URI: http://crowdfavorite.com
>>
>>
>> ### Affected Version ###
>>
>> Analytics360 v.1.2
>> (and earlier Versions, I guess…)
>>
>>
>> ### Risk ###
>>
>> Well, I can't classify this. When you're not insane, you shouldn't have
>> people as admins, who inject code into the database queries.
>> But, when you have such admins, or your WP-Login is collected by phishing
>> or something alike, your db server and data may be at risk.
>> It all depends on your setup and permissions. However, the bug is easy to
>> fix and so it should be fixed.
>>
>> http://codex.wordpress.org/Function_Reference/wpdb_Class#Run_Any_Query_on_the_Database
>>
>>
>> ### DETAILS ###
>>
>> The code contains this evil part in analytics360.php:
>> --------
>> case 'get_wp_posts':
>> add_filter('posts_where', create_function(
>> '$where',
>> 'return $where." AND post_date >=
>> \''.$_GET['start_date'].'\' AND post_date < \''.$_GET['end_date'].'\'";'
>> ));
>> --------
>>
>>
>> ### Disclosure Timeline ###
>>
>> You're the first to know.
>> Anyone is able to telnet crowdfavorite.com:80 ? As I'm writing this, the
>> site is unresponsive.
>> So this is what happens when you include a website as contact information:
>> you don't get the message.
>>
>>
>> Regards
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists