[iBliss Security Advisory] Blind SQL injection vulnerability in NOSpamPTI wordpress plugin

2013-10-02T00:00:00
ID SECURITYVULNS:DOC:29866
Type securityvulns
Reporter Securityvulns
Modified 2013-10-02T00:00:00

Description

[ NOSpamPTI Wordpress plugin Blind SQL Injection ]

[ Vendor product description ]

NOSpamPTI eliminates the spam in your comment box so strong and free, developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8" rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support changes to the functions.php to this we alter this function and available as a plugin. Make good use of this plugin and forget all the Spam.

[ Bug Description ]

NOSpamPTI contains a flaw that may allow an attacker to carry out a Blind SQL injection attack. The issue is due to the wp-comments-post.php script not properly sanitizing the comment_post_ID in POST data. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[ History ]

Advisory sent to vendor on 09/09/2013 Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.

[ Impact ]

HIGH

[ Afected Version ]

2.1

[ CVE Reference]

CVE-2013-5917

[ POC ]

Payload: POST /wordpress/wp-comments-post.php

author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1 AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1

[ Vulnerable code ]

$post_id = $_POST['comment_post_ID'];

load_plugin_textdomain('nospampti', WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');

if &#40;$hash != $challenge&#41; {
    $wpdb-&gt;query&#40;&quot;DELETE FROM {$wpdb-&gt;comments} WHERE comment_ID =

{$comment_id}"); $count = $wpdb->get_var("select count(*) from $wpdb->comments where comment_post_id = {$post_id} and comment_approved = '1'");

[ Reference ]

[1] No SpamPTI SVN repository - http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php [2] Owasp - https://owasp.org/index.php/SQL_Injection [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/


iBliss Seguranca e Inteligencia - Sponsor: Alexandro Silva - Alexos

alexos (at) ibliss.com (dot) br [email concealed]