WP-Forum 1.7.4 SQL Injection
Filed Under (Advisories, WordPress) by Philipp on 22 January 2008

For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.

This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.

Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

PoC

See milw0rm

Fix

The BlogSec team are unaware of any fixes at this time.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

DK on 22 January, 2008 at 9:24 pm #

WordPress really need to step up and provide SQL safe functions!


ryan on 24 January, 2008 at 12:00 pm #

does anybody know of a fix for this yet? I’d like to get my forums back up.


DK on 24 January, 2008 at 12:09 pm #

ryan, I haven’t seen any official fix yet.


Trevor Carpenter on 29 January, 2008 at 11:34 pm #

@ryan. I have a fix for this…

I uninstalled WP-forum and installed a real forum, phpbb.


MustLive on 31 January, 2008 at 6:26 pm #

Philipp and David, the html tags is not properly sanitized in this post ;-) (look at “with the “” tag” phrase). You need to fix it.

P.S.

ryan, you can fix this hole by yourself, if you don’t want to wait for official fix. Because it’s common for developers to fix holes in their software not very fast.


Mike on 3 February, 2008 at 11:00 pm #

Any news?..


Kai on 25 June, 2008 at 5:34 pm #

Any fix for this yet….?


Philipp on 26 June, 2008 at 8:08 am #

We’ve no newer version Spotted of this Plugin. Anyway his forum seems to run with a newer version of the Plugin. Anyway you could patch that hole by yourself.


Comment
Name:
Email:
Website:
Message: