WP Comment Remix 1.4.3 Multiple Vulnerabilities

2008-10-14 / 2008-10-15
Credit: g30rg3_x
Risk: High
Local: No
Remote: Yes

___________ ChX Security | Advisory #3 | ========== -> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <- _________________ Advisory Information | =============== Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org> Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt Date of last update: 2008-10-13 CVE Name: -- ____________________ Vulnerability Information | ================== Software: WP Comment Remix Version: 1.4.3 From: Remote Severity: Extremely Critical Impact: Manipulation of data Cross-Site Scripting Type of Advisory: Full Disclosure _________________ Software Description | =============== WP Comment Remix adds a plethora of new options and features to Wordpress. From Reply and Quote links for commenters, to a full upgrade to the edit comments pages in the admin panel, WPCR will save you time and effort when running your blog. ____________________ Vulnerability Description | ================== WP Comment Remix has multiple vulnerabilities which allow remote attackers to conduct SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery attacks. The SQL Injection is possible due to lack of filtration on the comment post ID variable in the AJAX Comments script. The Cross-Site Scripting is possible due to lack of filtration and escaping on several stored options. The Cross-Site Request Forgery is caused by the lack of the WordPress Nonces on the options panel form. __________________ Technical Description | ================ * SQL Injection * Inside the script "ajax_comments.php" (around lines 27 to 29): /--------------------- $id = $_GET['p']; $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date DESC"); ----------------------/ As you can see in the presented code, the value of $id is taken from HTTP GET p variable and then $id is later used inside the SQL Query of get_results method from the $wpdb object (which allow WordPress plugins developers to pull multiple row results from the database), so we can inject SQL code and the data will later be show as comment data on the script.

References:

http://chxsecurity.org/advisories/adv-3-full.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top