[ad]
Last week milw0rm discovered an SQL injection in WordPress Forum plugin 1.7.4 by Fredrik Fahlstad. And here I’ll provide a workaround for that.
The original bugreport is here.
This is a standard SQL injection. Based on the slubber handling of _GET parameters, and the call of forum_get_posts_by_user without type check.
The forum_show_profile function provides a buggy alias for forum_get_profile, on wp-forum.php on row 917:
function forum_show_profile(){
return forum_get_profile($_GET['user']);
}
Let’s see, what is forum_get_profile doing. It’s found in forum_functions.php on row 363:
function forum_get_profile($user){
global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
$profile = new WP_User($user);
...
Recent posts: ".forum_get_posts_by_user($user, 10)."
...
So, I guess the easiest soultion is, to patch the forum_get_profile function, before even, the WP_User class call, like this:
$user = intval($user);
$profile = new WP_User($user);
It forces PHP engine to convert the given $user variable to a number. In the worst case, it will produce 0, and that means it will show the admin user’s forum profile, and posts
Big deal 😉
So, that’s it.
[ad]
Comments
3 925 hozzászólás a(z) “Solution for WordPress WP-Forum 1.7.4 SQL injection” bejegyzéshez
the function is_numeric() do the work too
That’s true 🙂
[…] PS: Ebenfalls zu erwähnen an dieser Stelle: eine Sicherlücke im WP-Forum. In diesem Fall werden via Datenbank-Abfrage Passwörter ausgelesen. Mehr dazu hier und hier. […]
[…] itt syntax highlighter hiányában nem tudok publikálni. De elérhető magyarul itt, angolul pedig itt. « SQL Injection sebezhetőség WordPress 2.3.1-ben Magyar idézőjelek plugin […]
Blin … really beautifully written! All this is so familiar … and truthfully!
Hi. I on numerous occasions be familiar with this forum. This is the oldest period undisputed to ask a query.
How multifarious in this forum are references Nautical port behind, disingenuous users?
Can I bank all the facts that there is?