Vulners
Lucene search
WordPress Plugin Tune Library 1.5.4 - SQL Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability | 21 Apr 201500:00 | – | zdt |
 | WordPress Tune Library Plugin SQL Injection Vulnerability | 20 May 201500:00 | – | cnvd |
 | CVE-2015-3314 | 7 Sep 201720:00 | – | cve |
 | CVE-2015-3314 | 7 Sep 201720:00 | – | cvelist |
 | EUVD-2015-3360 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin Tune Library 1.5.4 - SQL Injection | 21 Apr 201500:00 | – | exploitpack |
 | CVE-2015-3314 | 7 Sep 201720:29 | – | nvd |
 | WordPress Tune Library 1.5.4 SQL Injection | 21 Apr 201500:00 | – | packetstorm |
 | WordPress Tune Library Plugin 1.5.4 - SQL Injection | 21 Apr 201500:00 | – | patchstack |
 | Sql injection | 7 Sep 201720:29 | – | prion |
10
=======================================================================
title: SQL Injection
product: WordPress Tune Library Plugin
vulnerable version: 1.5.4 (and probably below)
fixed version: 1.5.5
CVE number: CVE-2015-3314
impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/tune-library/
found: 2015-01-09
by: Hannes Trunde
mail: [email protected]
twitter: @hannestrunde
=======================================================================
Plugin description:
-------------------
"This plugin is used to import an XML iTunes Music Library file into your
WordPress database. Once imported, you can display a complete listing of your
music collection on a page of your WordPress site."
Source: https://wordpress.org/plugins/tune-library/
Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.
Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a sql injection attack can be
performed when sorting artists by letter.
However, special conditions must be met in order to exploit this vulnerability:
1) The wordpress security feature wp_magic_quotes(), which is enabled by
default, has to be disabled.
2) The plugin specific option "Filter artists by letter and show alphabetical
navigation" has to be enabled.
Proof of concept:
-----------------
The following HTTP request to the Tune Library page returns version, current
user and db name:
===============================================================================
http://www.site.com/?page_id=2&artistletter=G' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
===============================================================================
Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-09: Author replies and announces a fix within a week.
2015-04-12: Mail from author, stating that plugin has been updated.
2015-04-14: Requesting CVE via post to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-20: Release of security advisory.
Solution:
---------
Update to the most recent plugin version.
Workaround:
-----------
Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by
letter..." option.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2015 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 26.8
CVSS 38.1
EPSS0.08759