« »

WP-Forum XSS and SQL Injection vulnerabilities

So some twit(or bot) attempted an SQL attack against our site. SQL Injection is a form of Code injection. There are many types of code injection. The definition of XSS includes SQL Injection as one of the methods.

This one used a crafty query in attempt to gain access to records from our databases.

http://asylum-et.com/?page_id=3&forumaction=showprofile

&user=1%20union%20select%20null,
concat(user_login,0x2f,user_pass,0x2f,user_email),
null,null,null,null,null%20from%20wp_users%20where%20id=1/*

which output this nice little bit

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT count(*) FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null from wp_users where id=1/*

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT * FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0x2f,user_pass,0x2f,user_email),null,null,null,null,null from wp_users where id=1/* ORDER BY date DESC LIMIT 10

Unfortunate for this person this is not what they were after as a result since our database is not the standard WP database as well as the code not being the standard WP code but I have fixed the code so that not even this is output any more.

Please take note of this twits IP address.
88-232-152-90

I am glad that this attempt has been made because it alerted us to a vulnerability in the
wp-forum Version: 1.7.4 software. The author must have decided that sanity checks were useless because there was not a single one checking the data being passed for database queries.

If you are using this plugin you should at least go through and do an intval() on each of the $_GET variables that wp-forum has accessed directly in the queries. Hopefully the author
decides to release a security fix for their software but that wont effect us since we have
extensively altered our script to secure it. The original wp-forum can be found here http://www.fahlstad.se/wp-plugins/wp-forum

This entry was posted on Tuesday, January 29th, 2008 at 5:10 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply