[ad]

Last week milw0rm discovered an SQL injection in WordPress Forum plugin 1.7.4 by Fredrik Fahlstad. And here I’ll provide a workaround for that.

The original bugreport is here.

This is a standard SQL injection. Based on the slubber handling of _GET parameters, and the call of forum_get_posts_by_user without type check.
The forum_show_profile function provides a buggy alias for forum_get_profile, on wp-forum.php on row 917:

function forum_show_profile(){
       return forum_get_profile($_GET['user']);
}

Let’s see, what is forum_get_profile doing. It’s found in forum_functions.php on row 363:

function forum_get_profile($user){
        global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link;
        $profile = new WP_User($user);
        ...
        Recent posts: ".forum_get_posts_by_user($user, 10)."
        ...

So, I guess the easiest soultion is, to patch the forum_get_profile function, before even, the WP_User class call, like this:

	$user = intval($user);
        $profile = new WP_User($user);

It forces PHP engine to convert the given $user variable to a number. In the worst case, it will produce 0, and that means it will show the admin user’s forum profile, and posts

Big deal 😉

So, that’s it.

[ad]