WP-Forum 1.7.4 SQL Injection

Posted by Philipp
January 22, 2008

For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.

This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.

Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

PoC

See milw0rm

Fix

The BlogSec team are unaware of any fixes at this time.

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by DK on January 22, 2008 @ 9:24 pm

WordPress really need to step up and provide SQL safe functions!

Comment by ryan on January 24, 2008 @ 12:00 pm

does anybody know of a fix for this yet? I’d like to get my forums back up.

Comment by DK on January 24, 2008 @ 12:09 pm

ryan, I haven’t seen any official fix yet.

Comment by Trevor Carpenter on January 29, 2008 @ 11:34 pm

@ryan. I have a fix for this…

I uninstalled WP-forum and installed a real forum, phpbb.

Comment by MustLive on January 31, 2008 @ 6:26 pm

Philipp and David, the html tags is not properly sanitized in this post ;-) (look at “with the “” tag” phrase). You need to fix it.

P.S.

ryan, you can fix this hole by yourself, if you don’t want to wait for official fix. Because it’s common for developers to fix holes in their software not very fast.

Comment by Mike on February 3, 2008 @ 11:00 pm

Any news?..

Comment by Kai on June 25, 2008 @ 5:34 pm

Any fix for this yet….?

Comment by Philipp on June 26, 2008 @ 8:08 am

We’ve no newer version Spotted of this Plugin. Anyway his forum seems to run with a newer version of the Plugin. Anyway you could patch that hole by yourself.

Pingback by BlogSecurity » Blog Archive » Old WP-Forum Vulnerability Gets Disclosed on January 27, 2009 @ 1:14 am

[...] The plugins homepage is already on version 2.2. This means this vulnerability was probably discovered shortly after the initial version 1.7.4 vulnerability reported by BlogSecurity in early 2008. [...]

Leave a comment

(required)

(required)