If you are currently using the latest release of the WP-Forum plugin, listen up. The websec security team has discovered a vulnerability within this plugin that can be exploited by malicious users to conduct SQL injection attacks. According to Secunia:
Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “<!–WPFORUM–>” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This vulnerability when exploited successfully allows the individual to retrieve usernames, password hashes, and email addresses for all users, including administrators. However, the user has to have knowledge of the proper database table prefix. This vulnerability has been confirmed in version 1.7.4 which is currently the most recent version available for download.
Description:
WP-Forum is a WordPress plugin that enables you to have a forum directly attached to your WordPress installation. The plugin is based on Simple Forum.
[EDIT] We wish the plugin author was notified of the vulnerability and given a chance to fix it, but there was no mention of it in the advisory. So until a fix is released, we suggest that the plugin is disabled and removed.
[EDIT] As pointed out in the comments, not the same as Simple Forum WP Plugin.
Would you be willing please, to point out that the ‘Simple Forum’ mentioned above is NOT the same as my own ‘Simple Forum WP Plugin’? (http://www.stuff.yellowswordfish.com/simple-forum/) I found out quite recently that there was a stand alone system named ‘Simple Forum’ and have been debating whether to change the name of my plugin. But I would not want people to be confused! My own forum plugin is NOT based on this third party product and also has no relationship with WP-Forum.
Thanks.
I started a thread with this information on their forum.
@Sabo Thanks for doing that. Although if you were to look at the comments for that plugin on the blog, it looks like development for that plugin might be dead and has been dead for quite awhile.
Thanks, this is a great revelation!
I could not reproduce that bug…I have some doubts that it really works
but i simply fixed but using folowing code in “forum-functions.php”:
function forum_get_profile($user){
global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
if(is_numeric($user)) {
.....
}
just use that “is_numeric” (since user ID are integers and not strings containing sql queries).
@Dhruva Sagar Believe me, the exploit works like a charm, I already obtained some md5 hashed passwords from it. The exploit in combination with this http://md5.rednoize.com/ is going to be a playground for all the script kiddies out there.
Sorry, my comment was for Cyneox, I don´t get used to this UGLY design of this website.
Jeffro2pt0 dude, this website looks like we were in 1995.
@Cyneox did you use that code like this:
function forum_get_profile if(is_numeric($user){
global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
or like this?
function forum_get_profile($user){
global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
if(is_numeric($user)) {
Because if you used the second one, I don´t know where should I close the }
@Sabo
the code was added in “forum-functions.php”.
i used:
function forum_get_profile($user){
global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
if(is_numeric($user)) {
...
}
the last “}” comes after the “return”.
I think this bug works only on pure wordpress (not wordpress mu) although i haven’t test it already…
@Sabo
nice this you got there…can u please tell me which plugin you are using for the paged posts on the first site ?
nice site you got there…can u please tell me which plugin you are using for the paged posts on the first site ?
[ SORRY FOR THE DOUBLE POST ]
@Cyneox Dude, your fix didn´t work to fix the security issue, I implemented and then apply the exploit and I could obtain all the usersnames/md5hashedpasswords/e-mails@…
That fix didn´t work for a normal WordPress installation.
And thanks about the site, for the page navigation I´m using:
http://www.mis-algoritmos.com/.....ugin-v-10/
Regards!
@Sabo
Well that fix did work for me. Actually I can’t really understand why it shouldn’t work.
According to http://www.php.net/is_numeric:
is_numeric ( mixed $var )
if $var is a number (integer,doubles etc.) ‘the_numeric’ will return TRUE. Else ‘FALSE’ will be returned.
In OUR case the script should verify is the paramater given to ‘user’ is an integer or not.
The normal page URL will be:
http://blabla.com/?page_id=7&a.....amp;user=1
The hack makes use of not verificating the parameter given to ‘user’:
http://www.blablabla.com/?page.....ull,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null+from+wp_users/*
As you can see the value given to ‘user’ is NOT an integer and that’s why you add the condition (at the beginning of the script):
if (is_numeric($user)) {
// here goes the rest of the php script
}
I am using WPMU and the hack did not work on my site. Which version of WordPress/WPMU are you using ?
Try wrapping the input with intval( ), too. Quick fix.
@Cyneox
I tried the patch on WP2.3.2 and didn´t worked.
We can hardly read on this “track back spam” comments. Jeffro2pt0 man, at least if you are not going to use a easy to read theme separate at least your trackbacks from the normal posts.
http://www.dailyblogtips.com/s.....ress-blog/
Regards!
@Sabo Hey there. I am a guest blogger for WeblogToolsCollection.com and do not own this domain or have full control over the display or functionality of this blog. This blog is owned by Mark Ghosh. If you have any comments regarding this blog, the articles or just want to tell him what you think, contact him via http://weblogtoolscollection.com/contact-me/
Sabo, I do not agree that they need to be separated. We can take that discussion offline. Email me at mark at wltc dot net if you would like.
Just for the record, I always use something like $user = intval($user); to ensure input that should be a whole number is sanitised. Rather than check whether it is an integer, why not force it to be one (if it’s not numeric, 0 is returned)?
I know this is an old post, but one would be surprised at the amount of sites that still have not fixed this vulnerability to this day.