135 lines
4.7 KiB
Text
Executable file
135 lines
4.7 KiB
Text
Executable file
Title:
|
|
======
|
|
Wordpress Facebook Survey v1 - SQL Injection Vulnerability
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-11-18
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=766
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
766
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.5
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Wordpress Facebook Survey Pro is an easy to install & use Wordpress plugin. Get started right away,
|
|
and set up as many timeline optin pages as you want. This plugin gets to the point, and makes it so
|
|
you get the BEST answers from your FB fans. You can add a custom success page so you can offer
|
|
incentives for your fans to complete the survey. It`s the BEST way to get feedback!
|
|
|
|
(Copy of the Vendor Homepage: http://fbsurveypro.com/ )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered a critical remote SQL Injection vulnerability in the Wordpress Facebook Survey Pro Plugin.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-11-18: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
A blind SQL Injection vulnerability is detected in the commercial Wordpress Facebook Survey Pro Plugin.
|
|
The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL
|
|
commands on the affected application dbms. The blind sql injection vulnerability is located in index.php
|
|
file (timeline module) with the bound vulnerable id parameter. Successful exploitation of the vulnerability
|
|
results in dbms & application compromise. Exploitation requires no user interaction & without privileged
|
|
application user account.
|
|
|
|
Vulnerable Module(s):
|
|
[+] timeline/
|
|
|
|
Vulnerable File(s):
|
|
[+] index.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] id
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The SQL injection vulnerability can be exploited by remote attackers without privileged application user accounr and without
|
|
required user inter action. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://[SERVER]/[WORDPRESS]/wp-content/plugins/plugin-dir/timeline/index.php?id=1'-1 union select 1,2,3,4,5[SQL-Injection]--
|
|
|
|
|
|
Solution:
|
|
=========
|
|
Filter the id input, or use the intval() php function to make sure the input is an integer.
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the remote blind sql injection vulnerability is estimated as critical.
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Chokri B.A. (meister@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY ADMINISTRATION
|
|
CONTACT: admin@vulnerability-lab.com
|
|
|
|
|