SQL Injection

  • aramosf

    (@aramosf)


    13 years, 2 months ago

    Hello again,

    Bad news, there are a lot of SQL Injections vulnerabilities in the code. For example, the file admin/luc_admin.php have an unvalidated “$querylimit”.

    (one example)
    […]
    $querylimit = (isset ($_POST[‘hitsrows’]) ? $_POST[‘hitsrows’] : $StatPressV_Option[‘StatPressV_Rows_Per_Latest’]);
    […]
    $rks = $wpdb->get_results(“SELECT date, time, ip,urlrequested, os, browser,feed,user, language, country, post_title
    FROM $table_name
    WHERE (os<>” OR browser <>”)
    AND spider NOT LIKE ‘%Spam Bot%’
    ORDER BY id DESC LIMIT $querylimit;”);

    […]
    As far I know, exploit after “LIMIT” is not easy/trivial, but the vulnerability exists and should be fixed.

    I don’t check entire code, so, maybe others files have more.

    Regards.

    http://wordpress.org/extend/plugins/statpress-visitors/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author luciole135

    (@luciole135)

    13 years, 2 months ago

    Hi,
    Thank you for your interest in this issue and your suggestion is precious to me.
    This part of the code is only accessible from the WordPress admin. This complicates enormously the task because the fault must pass through the WordPress administration which is itself secure.
    This limit is chosen via a drop down list on the main page and I do not see how it is possible to break it.
    In these circumstances, do you really believe it is important to ensure that this limit is an integer between 5 and 500?
    If you think so, i do it.
    But all the options arent validate too !
    Regards

    Thread Starter aramosf

    (@aramosf)

    13 years, 2 months ago

    Hello,

    You can bypass the “validation” of the drop down list, just POSTing with some tool/manually the string that you want, for example, with simple curl command. You only need the correct wp-admin SESSION to do that.

    As you said, it’s only in the wordpress administration, but what happend if the mysql user is root? You can read contents from another databases, or file systems or maybe, run commands in the OS. Remember in wordpress there are others kinds of users like editors, contributors, etc.

    Regards

    Plugin Author luciole135

    (@luciole135)

    13 years, 2 months ago

    Indeed, there are people as contributors, users who can access to the wordpress admin. The enemy can come from within!
    I will validate all entries on pages to prevent them from attempting to achieve this feat.
    it will take some time.
    Regards

    Thread Starter aramosf

    (@aramosf)

    13 years, 1 month ago

    Hello!

    Any news about that?

    Regards

    Plugin Author luciole135

    (@luciole135)

    13 years, 1 month ago

    According to my test, attempts injections through dropdowns fail because the processing AJAX.
    I am finalizing the new version, it takes me more time than expected.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘SQL Injection’ is closed to new replies.