WordPress.org

Ready to get started?Download WordPress

Forums

Z-Vote
SQL Injection Vulnerability (1 post)

  1. Vladimir Kolesnikov
    Member
    Posted 3 years ago #

    Advisory: http://www.exploit-db.com/exploits/16218/

    Patch:

    diff -uwdBrN z-vote.orig/zvote.php z-vote/zvote.php
    --- z-vote.orig/zvote.php	2011-02-25 21:05:44.000000000 +0200
    +++ z-vote/zvote.php	2011-02-25 21:10:46.531798756 +0200
    @@ -9,6 +9,8 @@
       License: GPL
     */
    
    +	defined('ABSPATH') or die();
    +
     // --- DEFINITIONS
    
     	//define where zvote is installed on the wordpres system. In 99.9% of the case the path below is correct.
    @@ -271,7 +273,7 @@
     function zVote_getEntry($postid) {
     	global $wpdb;
    
    -	$entries = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
    +	$entries = $wpdb->get_results($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));
    
     	return $entries;
     }
    @@ -282,7 +284,7 @@
     	global $wpdb;
    
     	$votes = 0;
    -	$votes = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
    +	$votes = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));
    
     	return $votes;
     }
    @@ -292,7 +294,7 @@
    
     	global $wpdb;
    
    -	$votes = $wpdb->get_var($wpdb->prepare("DELETE FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . ""));
    +	$votes = $wpdb->get_var($wpdb->prepare("DELETE FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d", $postid));
    
     	return $votes;
     }
    @@ -353,7 +355,7 @@
     	global $wpdb;
    
     	//ipcheck for now, will expand to userid-check, based on the user setting in version 1.5
    -	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . " AND userip = \"" . $_SERVER['REMOTE_ADDR'] . "\""));
    +	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d AND userip = %s", $postid, $_SERVER['REMOTE_ADDR']));
    
     	$wpdb->insert( $wpdb->prefix . 'zvotedata', array( 'postid' => $postid, 'userip' => $_SERVER['REMOTE_ADDR'], 'userid' => 0, 'time' => time() ), array( '%d','%s', '%d', '%d' ) );
    
    @@ -365,7 +367,7 @@
     	global $wpdb, $wp_query, $redirect_meta_key;
    
     	//ipcheck for now, will expand to userid-check, based on the user setting in version 1.5
    -	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = " . $postid . " AND userip = \"" . $_SERVER['REMOTE_ADDR'] . "\""));
    +	$ipcheck = $wpdb->get_var($wpdb->prepare("SELECT id FROM " . $wpdb->prefix . "zvotedata WHERE postid = %d AND userip = %d", $postid, $_SERVER['REMOTE_ADDR']));
    
     	if (!$ipcheck) {
     		//ok to vote, register vote
    @@ -382,7 +384,7 @@
     		}
    
     		//send user to post
    -		header('Location: ' .$injectionPoint);
    +		wp_redirect($injectionPoint);
     		exit;
     	} else {
     		//user already registered, push to entry-page and inform the user.
    @@ -394,7 +396,7 @@
     			$injectionPoint = $post . '?zvoters=2';
     		}
    
    -		header('Location: ' .$injectionPoint);
    +		wp_redirect($injectionPoint);
     		exit;
     	}
     	exit;

    More details (Russian)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

  • RSS feed for this topic
  • Started 3 years ago by Vladimir Kolesnikov
  • This topic is not resolved
  • WordPress version: 3.1