-> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <-
Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities
Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org>
Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt
Date of last update: 2008-10-13
CVE Name: –
Software: WP Comment Remix
Version: 1.4.3
From: Remote
Severity: Extremely Critical
Impact:
Manipulation of data
Cross-Site Scripting
Type of Advisory: Full Disclosure
WP Comment Remix adds a plethora of new options and features to
Wordpress. From Reply and Quote links
for commenters, to a full upgrade to the edit comments pages in the
admin panel, WPCR will save you
time and effort when running your blog.
WP Comment Remix has multiple vulnerabilities which allow remote
attackers to conduct SQL Injection,
Cross-Site Scripting and Cross-Site Request Forgery attacks.
The SQL Injection is possible due to lack of filtration on the comment
post ID variable in the AJAX
Comments script.
The Cross-Site Scripting is possible due to lack of filtration and
escaping on several stored
options.
The Cross-Site Request Forgery is caused by the lack of the WordPress
Nonces on the options panel form.
/---------------------
$id = $_GET['p'];
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY
comment_date DESC");
----------------------/
As you can see in the presented code, the value of $id is taken from
HTTP GET p variable and then $id is later used
inside the SQL Query of get_results method from the $wpdb object
(which allow WordPress plugins developers to pull
multiple row results from the database), so we can inject SQL code and
the data will later be show as comment data
on the script.
-----------------------/
To obtain the MySQL user, Database name and MySQL version used on the server.
(The next code is truncated to only show the vulnerable parts of the code)
/----------------------
$options['replytotext'] = $_POST['replytotext'];
…
$options['quotetext'] = $_POST['quotetext'];
$options['originallypostedby'] = $_POST['originallypostedby'];
$options['sep'] = $_POST['sep'];
$options['maxtags'] = $_POST['maxtags'];
…
$options['tagsep'] = $_POST['tagsep'];
$options['tagheadersep'] = $_POST['tagheadersep'];
$options['taglabel'] = $_POST['taglabel'];
$options['tagheaderlabel'] = $_POST['tagheaderlabel'];
…
<input type="text" name="replytotext" value="<?=$options['replytotext']?>"><br/>
…
<input type="text" name="quotetext" value="<?=$options['quotetext']?>"><br/>
…
<input type="textbox" name="originallypostedby"
value='<?=$options['originallypostedby'];?>' />
…
<input type="text" name="sep" value="<?=$options['sep']?>"><br/>
…
<input type="text" name="taglabel" value="<?=$options['taglabel']?>"><br/>
…
<input type="text" name="tagsep" value="<?=$options['tagsep']?>"><br/>
…
<input type="text" name="maxtags" value="<?=$options['maxtags']?>"><br/>
…
<input type="text" name="tagheaderlabel"
value="<?=$options['tagheaderlabel']?>"><br/>
…
<input type="text" name="tagheadersep"
value="<?=$options['tagheadersep']?>"><br/>
-----------------------/
This variables totally lack of filtration and escaping so if we store
something like this…
/----------------------
5"><script>alert(String.fromCharCode(88,83,83));</script><input
type=hidden name=foo id="
-----------------------/
When the data is retreived to be show on the dashboard options panel
then the "bad code"
is rendered and the attack is conducted.
NOTE: There are some input variables (like replytotext) that are also
rendered to the public viewers, so is
possibly to inject "malicious code" outside of the dashboard options
panel of the plugin.
Can be downloaded from here:
http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip
Upgrade to version 1.4.4
Bug Found: 16/09/2008
Vendor Contact: 20/09/2008
Vendor Response: 23/09/2008
Public Disclosure: 13/10/2008
ChX Security
http://chxsecurity.org/
(c) 2008
–
Original: http://chxsecurity.org/advisories/adv-3-full.txt