[Plugin: Z-Vote] SQL Injection Vulnerability

Advisory: http://www.exploit-db.com/exploits/16218/

Patch:

diff -uwdBrN z-vote.orig/zvote.php z-vote/zvote.php
--- z-vote.orig/zvote.php	2011-02-25 21:05:44.000000000 +0200
+++ z-vote/zvote.php	2011-02-25 21:10:46.531798756 +0200
@@ -9,6 +9,8 @@
   License: GPL
 */

+	defined('ABSPATH') or die();
+
 // --- DEFINITIONS

 	//define where zvote is installed on the wordpres system. In 99.9% of the case the path below is correct.
@@ -271,7 +273,7 @@
 function zVote_getEntry($postid) {
 	global $wpdb;

-	$entries = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
+	$entries = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));

 	return $entries;
 }
@@ -282,7 +284,7 @@
 	global $wpdb;

 	$votes = 0;
-	$votes = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
+	$votes = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));

 	return $votes;
 }
@@ -292,7 +294,7 @@

 	global $wpdb;

-	$votes = $wpdb->get_var($wpdb->prepare("DELETE FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
+	$votes = $wpdb->get_var($wpdb->prepare("DELETE FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));

 	return $votes;
 }
@@ -353,7 +355,7 @@
 	global $wpdb;

 	//ipcheck for now, will expand to userid-check, based on the user setting in version 1.5
-	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . " AND userip = \"" . $_SERVER['REMOTE_ADDR'] . "\""));
+	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d AND userip = %s", $postid, $_SERVER['REMOTE_ADDR']));

 	$wpdb->insert( $wpdb->prefix . 'zvotedata', array( 'postid' => $postid, 'userip' => $_SERVER['REMOTE_ADDR'], 'userid' => 0, 'time' => time() ), array( '%d','%s', '%d', '%d' ) );

@@ -365,7 +367,7 @@
 	global $wpdb, $wp_query, $redirect_meta_key;

 	//ipcheck for now, will expand to userid-check, based on the user setting in version 1.5
-	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . " AND userip = \"" . $_SERVER['REMOTE_ADDR'] . "\""));
+	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d AND userip = %d", $postid, $_SERVER['REMOTE_ADDR']));

 	if (!$ipcheck) {
 		//ok to vote, register vote
@@ -382,7 +384,7 @@
 		}

 		//send user to post
-		header('Location: ' .$injectionPoint);
+		wp_redirect($injectionPoint);
 		exit;
 	} else {
 		//user already registered, push to entry-page and inform the user.
@@ -394,7 +396,7 @@
 			$injectionPoint = $post . '?zvoters=2';
 		}

-		header('Location: ' .$injectionPoint);
+		wp_redirect($injectionPoint);
 		exit;
 	}
 	exit;

More details (Russian)