Support » Plugin: Zotpress » SQL injection in api_user_id usage (?)

  • Resolved uberspot

    (@uberspot)


    Hi,

    in lib/shortcode/shortcode.ajax.php
    you get the api_user_id from the GET parameter.

    function Zotpress_shortcode_AJAX() {
        ...
        $zp_api_user_id = $_GET['api_user_id'];
        ...
        $zp_account = zp_get_account ($wpdb, $zp_api_user_id);

    You then use that api_user_id in the functions zp_get_account, zp_get_accounts and zp_clear_cache_for_user in lib/request/request.function.php which do SQL queries with the wpdb->get_results function but don’t do wpdb->prepare on the input.

    function zp_get_account ($wpdb, $api_user_id_incoming=false)
    {
        if ($api_user_id_incoming !== false)
            $zp_account = $wpdb->get_results("SELECT * FROM
    ".$wpdb->prefix."zotpress WHERE api_user_id='".$api_user
    _id_incoming."'");

    I might be mistaken but with a brief glimpse I don’t see where the api_user_id is validated/sanitized in which case there is an sql injection vulnerability. Am I missing something? Is some wordpress function escaping that user input?

    Helpful resources:
    https://developer.wordpress.org/plugins/security/securing-input/
    http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/

    https://wordpress.org/plugins/zotpress/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘SQL injection in api_user_id usage (?)’ is closed to new replies.