|
Description
|
|
High-Tech Bridge SA has discovered multiple vulnerabilities in the WP Forum Server plugin for WordPress, which can be exploited by malicious users and malicious people to conduct SQL injection attacks.
1) Input passed via the "id" parameter to index.php (when "vasthtmlaction" is set to "editpost" and "page_id" is set) is not properly sanitised in wp-content/plugins/forum-server/wpf-post.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "search_max" parameter to index.php (when "vasthtmlaction" is set to "search" and "page_id" and "t" are set) is not properly sanitised in wp-content/plugins/forum-server/wpf.class.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Input passed via the "topic" parameter to wp-content/plugins/forum-server/feed.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerabilities are confirmed in version 1.6.5. Other versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
WordPress WP Forum Server Plugin 1.x
|
|
|
|
|
|
Solution
|
|
Vulnerability #3 is fixed in the SVN repository. Edit the source code to ensure that input is properly sanitised.
|
|
|
|
|
|
CVE
|
|
CVE-2011-1047
|
|
|
|
|
|
References
|
|
High-Tech Bridge SA (HTB22850
HTB22851
HTB22852):
http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin.html
http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_1.html
http://www.htbridge.ch/advisory/sql_injection_in_wp_forum_server_wordpress_plugin_2.html
WP Forum Server Plugins Trac:
http://plugins.trac.wordpress.org/changeset?reponame=&
new=354688%40forum-server&
old=332597%40forum-server
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
