133 lines
No EOL
4.6 KiB
Text
133 lines
No EOL
4.6 KiB
Text
Title:
|
||
======
|
||
Wordpress Facebook Survey v1 - SQL Injection Vulnerability
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-11-18
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=766
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
766
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
8.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Wordpress Facebook Survey Pro is an easy to install & use Wordpress plugin. Get started right away,
|
||
and set up as many timeline optin pages as you want. This plugin gets to the point, and makes it so
|
||
you get the BEST answers from your FB fans. You can add a custom success page so you can offer
|
||
incentives for your fans to complete the survey. It`s the BEST way to get feedback!
|
||
|
||
(Copy of the Vendor Homepage: http://fbsurveypro.com/ )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered a critical remote SQL Injection vulnerability in the Wordpress Facebook Survey Pro Plugin.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-11-18: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Critical
|
||
|
||
|
||
Details:
|
||
========
|
||
A blind SQL Injection vulnerability is detected in the commercial Wordpress Facebook Survey Pro Plugin.
|
||
The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL
|
||
commands on the affected application dbms. The blind sql injection vulnerability is located in index.php
|
||
file (timeline module) with the bound vulnerable id parameter. Successful exploitation of the vulnerability
|
||
results in dbms & application compromise. Exploitation requires no user interaction & without privileged
|
||
application user account.
|
||
|
||
Vulnerable Module(s):
|
||
[+] timeline/
|
||
|
||
Vulnerable File(s):
|
||
[+] index.php
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] id
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The SQL injection vulnerability can be exploited by remote attackers without privileged application user accounr and without
|
||
required user inter action. For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
http://[SERVER]/[WORDPRESS]/wp-content/plugins/plugin-dir/timeline/index.php?id=1'-1 union select 1,2,3,4,5[SQL-Injection]--
|
||
|
||
|
||
Solution:
|
||
=========
|
||
Filter the id input, or use the intval() php function to make sure the input is an integer.
|
||
|
||
|
||
Risk:
|
||
=====
|
||
The security risk of the remote blind sql injection vulnerability is estimated as critical.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Chokri B.A. (meister@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY ADMINISTRATION
|
||
CONTACT: admin@vulnerability-lab.com |