David Kierznowski of BlogSecurity has found a critical vulnerability in the popular TextLinkAds plugin for WordPress. The vulnerability allows an unauthenticated, remote attacker to completely compromise your database and therefore your blog.
This is a serious security risk, and should take higher priority then what it has. I have shared various emails with TextLinkAds (starting 31 Dec 2007), but no fix has been made available to date - as far as I am aware. It was trivial to find and there are most likely others… I am releasing this now as attackers may already be exploiting it and I am reluctant to leave it longer.
The vulnerability was tested on version 1.1.1 and the latest version 1.1.3, both were found vulnerable. Please note I have verified that this vulnerability affects v3.0.8.. Please note, all plugins are likely affected before (15/Jan/08). DO NOT rely on the version numbers.
Proof of concept:
Removed for security reasons.
Fix information:
The vulnerable code is found on line 512:
$postId = $postId;
This variable is passed to $wpdb->get_results without being sanitised.
to fix this hole, simply change the above line to:
$postId = (int) $postId; /* FIXED */
While browsing through the code, I did notice other SQL Injection problems, but some of these are mitigated by the fact that you need a valid TextLinkAds key to call the function, but a more indepth view may reveal more.
Summary
Although I have provided a fix, I would suggest disabling this plugin until a full review of the code has been conducted by TextLinkAds and an appropriate fix released. I am sure this will cause alot of anxiety, especially as a number of larger and smaller blogs earn income via this service.
Comments
Version 1.1.1 and 1.1.3?
The TLA-plugin on a site of me states version 3.0.6… So looks like the versions you are talking about are very outdated…
I’ve just downloaded an up to date plugin off the TLA website and their plugin version is 3.0.8. I also searched for the code above and I can’t find it in there, not on line 512 or by searching on $postId.
A lot of the code could be altered to make things more protected though, minor changes really. But I can’t find this code at all.
[…] BlogSecurity weist auf eine Sicherheitslücke im Plugin von TextLinkAds hin. […]
nice referral link up top. were you going to disclose that or just lead everyone through your referral?
BloggingTom, SarahG, please provide me with the link. Sounds like two seperate plugins here. I just checked and the latest now, appears to be 1.1.4 (via install Ad code).
Jonathan, no idea what you talking about and don’t really care.
Are you really shure about the version?
Hi DK, to get the plugin I went to the option to Install Ad Code, chose the site and clicked Get Ad code, selected the WordPress plugin, said I didn’t want to use the sidebar widget, chose 1 link per row and clicked okay.
If you want to drop me an email I’ll happily email over the plugin I get. Just don’t fancy putting it online for everyone as they’re specific to each site I believe.
DK,
I’m just wondering, what is textlinkSads.com? isn’t the domain text-link-ads.com?
Well, i just checked it too with the same options SarahG has choosed. Now it is version 3.0.9. I’ll send you an email with the plugin…
And about Jonathan: He’s just complaining about the link in the text above which links to textlinksads.com instead of text-link-ads.com…
Johnathan, like all good businesses, TLA own both the hypenated and unhyphenated versions. There’s no referral link in DK’s post. Try a whois on the domain to be sure.
Please note, SarahG kindly sent me this plugin (v3.0.8). There is some wierd stuff going on with the version but v3.0.8 is affected in the same way. I will the advisory accordingly.
[…] advisory has been updated accordingly. Enjoy the article? Please take a second to: […]
SarahG,
Administrative Contact:
Wong, Michael
Art Dacor USA LLC
3727 West Magnolia Blvd
#489
Burbank, California 91505
United States
8186883292
Sure doesn’t look like TextLinkAds.com’s whois.
TLA does not own that domain.
I personally don’t care, but a little disclosure would be nice.
Ah re-reading your comment and the post an additional S has crept into the link, a simple typing error at a guess. I doubt that was intentional. My apologies, I was checking on http://www.textlinkads.com, no S after link and the whois gives TLA as owners.
With DK being in Europe (UK judging by his about content) and this domain owner being in the US, I doubt he’d be feeding referrals to someone else on purpose (although he’d have to confirm).
I couldn’t find the line “$postId = $postId;” at 512 or anywhere else in my TLA plugin. I went to the TLA site and downloaded a brand new plug-in to see if it had changed and it’s nowhere to be found in that file either.
I’ve just downloaded a new plugin version (after being sent an e-mail from TLA) and the problem still exists…. code from version 1.2.0…
function tla_send_new_post_alert($postId)
{
global $text_link_ads_object;
$text_link_ads_object->postLevelPing($text_link_ads_object->tlaPingUrl.'?action=add&inventory_key='.$text_link_ads_object->websiteKey.'&post_id='.$postId);
}
Does anyone know if this has been fixed yet, or a good version to use?
-
Search site:
-
Additional WP Resources
