___________ ChX Security | Advisory #3 | ========== -> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <- _________________ Advisory Information | =============== Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org> Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt Date of last update: 2008-10-13 CVE Name: -- ____________________ Vulnerability Information | ================== Software: WP Comment Remix Version: 1.4.3 From: Remote Severity: Extremely Critical Impact: Manipulation of data Cross-Site Scripting Type of Advisory: Full Disclosure _________________ Software Description | =============== WP Comment Remix adds a plethora of new options and features to Wordpress. From Reply and Quote links for commenters, to a full upgrade to the edit comments pages in the admin panel, WPCR will save you time and effort when running your blog. ____________________ Vulnerability Description | ================== WP Comment Remix has multiple vulnerabilities which allow remote attackers to conduct SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery attacks. The SQL Injection is possible due to lack of filtration on the comment post ID variable in the AJAX Comments script. The Cross-Site Scripting is possible due to lack of filtration and escaping on several stored options. The Cross-Site Request Forgery is caused by the lack of the WordPress Nonces on the options panel form. __________________ Technical Description | ================ * SQL Injection * Inside the script "ajax_comments.php" (around lines 27 to 29): /--------------------- $id = $_GET['p']; $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date DESC"); ----------------------/ As you can see in the presented code, the value of $id is taken from HTTP GET p variable and then $id is later used inside the SQL Query of get_results method from the $wpdb object (which allow WordPress plugins developers to pull multiple row results from the database), so we can inject SQL code and the data will later be show as comment data on the script.