WordPress Plugin Tune Library 1.5.4 – SQL Injection

• Exploit Database
• 13 阅读

• 作者： Hannes Trunde
  日期： 2015-04-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36802/

• =======================================================================
  title: SQL Injection
  product: WordPress Tune Library Plugin
   vulnerable version: 1.5.4 (and probably below)
  fixed version: 1.5.5
   CVE number: CVE-2015-3314
   impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
   homepage: https://wordpress.org/plugins/tune-library/
  found: 2015-01-09
   by: Hannes Trunde
   
   mail: hannes.trunde@gmail.com
  twitter: @hannestrunde
  
  =======================================================================
  
  
  Plugin description:
  -------------------
  "This plugin is used to import an XML iTunes Music Library file into your 
  WordPress database. Once imported, you can display a complete listing of your 
  music collection on a page of your WordPress site."
  
  Source: https://wordpress.org/plugins/tune-library/
  
  
  Recommendation:
  ---------------
  The author has provided a fixed plugin version which should be installed 
  immediately.
  
  
  Vulnerability overview/description:
  -----------------------------------
  Because of insufficient input validation, a sql injection attack can be
  performed when sorting artists by letter.
  
  However, special conditions must be met in order to exploit this vulnerability:
  1) The wordpress security feature wp_magic_quotes(), which is enabled by 
   default, has to be disabled.
  2) The plugin specific option "Filter artists by letter and show alphabetical
   navigation" has to be enabled.
  
   
  Proof of concept:
  -----------------
  The following HTTP request to the Tune Library page returns version, current 
  user and db name:
  ===============================================================================
  http://www.site.com/?page_id=2&artistletter=G' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
  ===============================================================================
  
  
  Contact timeline:
  ------------------------
  2015-04-08: Contacting author via mail.
  2015-04-09: Author replies and announces a fix within a week.
  2015-04-12: Mail from author, stating that plugin has been updated.
  2015-04-14: Requesting CVE via post to the open source software security mailing 
  list: http://openwall.com/lists/oss-security/2015/04/14/5
  2015-04-20: Release of security advisory.
  
  
  Solution:
  ---------
  Update to the most recent plugin version.
  
  
  Workaround:
  -----------
  Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by
  letter..." option.