Solution for WordPress WP-Forum 1.7.4 SQL injection


Last week milw0rm discovered an SQL injection in WordPress Forum plugin 1.7.4 by Fredrik Fahlstad. And here I’ll provide a workaround for that.

The original bugreport is here.

This is a standard SQL injection. Based on the slubber handling of _GET parameters, and the call of forum_get_posts_by_user without type check.
The forum_show_profile function provides a buggy alias for forum_get_profile, on wp-forum.php on row 917:

function forum_show_profile(){
       return forum_get_profile($_GET['user']);

Let’s see, what is forum_get_profile doing. It’s found in forum_functions.php on row 363:

function forum_get_profile($user){
        global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
        $profile = new WP_User($user);
        <td valign='top'  class='table_meta'>Recent posts: </td><td>".forum_get_posts_by_user($user, 10)."</td>

So, I guess the easiest soultion is, to patch the forum_get_profile function, before even, the WP_User class call, like this:

	$user = intval($user);
        $profile = new WP_User($user);

It forces PHP engine to convert the given $user variable to a number. In the worst case, it will produce 0, and that means it will show the admin user’s forum profile, and posts

Big deal 😉

So, that’s it.


“Solution for WordPress WP-Forum 1.7.4 SQL injection” bejegyzéshez 3 925 hozzászólás

  1. Hi. I on numerous occasions be familiar with this forum. This is the oldest period undisputed to ask a query.
    How multifarious in this forum are references Nautical port behind, disingenuous users?
    Can I bank all the facts that there is?

A hozzászólások jelenleg nem engedélyezettek ezen a részen.