| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c9a09d01003020442m6214b77agdd4fbacb71934d9@mail.gmail.com>
Date: Tue, 2 Mar 2010 13:42:13 +0100
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Wordpress plugin 'Analytics360'-
authenticated user sql injection
Hi there,
here's an update to this advisory. Affected Versions are now <= 1.2.1.
Reasoning:
I noticed, that the author tried to fix this bug by implementing validation
via regex matching.
Sadly, that regex can be bypassed easily because it only checks if a valid
date string is in the GET param. That said, it should be clear that the sql
injection is unfixed in version 1.2.1.
The fix in Version 1.2.1 looks like this:
-------------
$start = (preg_match('/\\d{4}-\\d{2}-\\d{2}/', $_GET['start_date']) ?
$_GET['start_date'] : '0000-00-00');
$end = (preg_match('/\\d{4}-\\d{2}-\\d{2}/', $_GET['end_date']) ?
$_GET['end_date'] : '0000-00-00');
add_filter('posts_where', create_function(
'$where',
'return $where." AND post_date >= \''.$start.'\' AND post_date <
\''.$end.'\'";'
));
--------------
As you can see, the Regexp pattern is missing terminations in the form of
START / END.
Please change the first two lines like this:
----
$start = (preg_match('/^\\d{4}-\\d{2}-\\d{2}$/', $_GET['start_date']) ?
$_GET['start_date'] : '0000-00-00');
$end = (preg_match('/^\\d{4}-\\d{2}-\\d{2}$/', $_GET['end_date']) ?
$_GET['end_date'] : '0000-00-00');
----
Regards
PS: That site loads now, but there's no email contact listed. Sad for them.
2010/3/1 Jan G.B. <ro0ot.w00t@...glemail.com>
> Hi there,
>
> I just noticed that authenticated users for the admin area of a wordpress
> blog may inject code into database queries, when the plugin "Analytics360"
> is activated.
>
> ### BASIC INFORMATION ###
>
> Plugin Name: Analytics360
> Plugin URI:
> http://www.mailchimp.com/wordpress_analytics_plugin/?pid=wordpress&source=website
> Author: Crowd Favorite
> Author URI: http://crowdfavorite.com
>
>
> ### Affected Version ###
>
> Analytics360 v.1.2
> (and earlier Versions, I guess…)
>
>
> ### Risk ###
>
> Well, I can't classify this. When you're not insane, you shouldn't have
> people as admins, who inject code into the database queries.
> But, when you have such admins, or your WP-Login is collected by phishing
> or something alike, your db server and data may be at risk.
> It all depends on your setup and permissions. However, the bug is easy to
> fix and so it should be fixed.
>
> http://codex.wordpress.org/Function_Reference/wpdb_Class#Run_Any_Query_on_the_Database
>
>
> ### DETAILS ###
>
> The code contains this evil part in analytics360.php:
> --------
> case 'get_wp_posts':
> add_filter('posts_where', create_function(
> '$where',
> 'return $where." AND post_date >=
> \''.$_GET['start_date'].'\' AND post_date < \''.$_GET['end_date'].'\'";'
> ));
> --------
>
>
> ### Disclosure Timeline ###
>
> You're the first to know.
> Anyone is able to telnet crowdfavorite.com:80 ? As I'm writing this, the
> site is unresponsive.
> So this is what happens when you include a website as contact information:
> you don't get the message.
>
>
> Regards
>
>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists