Solution for WordPress WP-Forum 1.7.4 SQL injection
2008. 01. 27. |
Kategória:Articles |
| 
|
Küldés e-mailben
Last week milw0rm discovered an SQL injection in Wordpress Forum plugin 1.7.4 by Fredrik Fahlstad. And here I’ll provide a workaround for that.
The original bugreport is here.
This is a standard SQL injection. Based on the slubber handling of _GET parameters, and the call of forum_get_posts_by_user without type check.
The forum_show_profile function provides a buggy alias for forum_get_profile, on wp-forum.php on row 917:
function forum_show_profile(){ return forum_get_profile($_GET['user']); }
Let’s see, what is forum_get_profile doing. It’s found in forum_functions.php on row 363:
function forum_get_profile($user){ global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link; $profile = new WP_User($user); ... <td valign='top' class='table_meta'>Recent posts: </td><td>".forum_get_posts_by_user($user, 10)."</td> ...
So, I guess the easiest soultion is, to patch the forum_get_profile function, before even, the WP_User class call, like this:
$user = intval($user); $profile = new WP_User($user);
It forces PHP engine to convert the given $user variable to a number. In the worst case, it will produce 0, and that means it will show the admin user’s forum profile, and posts
Big deal 
So, that’s it.
Címke:Articles, blog, kocka, plugin, security, wordpress
Küldés e-mailben
| permalink | | |
Snap | 2008 02 16 | Válasz
the function is_numeric() do the work too
DjZoNe | 2008 02 16 | Válasz
That’s true
Lyuba | 2008 11 06 | Válasz
Blin … really beautifully written! All this is so familiar … and truthfully!
doolecdowhern | 2008 11 30 | Válasz
Hi. I on numerous occasions be familiar with this forum. This is the oldest period undisputed to ask a query.
How multifarious in this forum are references Nautical port behind, disingenuous users?
Can I bank all the facts that there is?