[ad]
Last week milw0rm discovered an SQL injection in WordPress Forum plugin 1.7.4 by Fredrik Fahlstad. And here I’ll provide a workaround for that.
The original bugreport is here.
This is a standard SQL injection. Based on the slubber handling of _GET parameters, and the call of forum_get_posts_by_user without type check.
The forum_show_profile function provides a buggy alias for forum_get_profile, on wp-forum.php on row 917:
function forum_show_profile(){ return forum_get_profile($_GET['user']); } |
Let’s see, what is forum_get_profile doing. It’s found in forum_functions.php on row 363:
function forum_get_profile($user){ global $user_ID, $table_threads, $wpdb, $rss_link, $profile_link; $profile = new WP_User($user); ... <td valign='top' class='table_meta'>Recent posts: </td><td>".forum_get_posts_by_user($user, 10)."</td> ... |
So, I guess the easiest soultion is, to patch the forum_get_profile function, before even, the WP_User class call, like this:
$user = intval($user); $profile = new WP_User($user); |
It forces PHP engine to convert the given $user variable to a number. In the worst case, it will produce 0, and that means it will show the admin user’s forum profile, and posts
Big deal 😉
So, that’s it.
[ad]
the function is_numeric() do the work too
That’s true 🙂
Blin … really beautifully written! All this is so familiar … and truthfully!
Hi. I on numerous occasions be familiar with this forum. This is the oldest period undisputed to ask a query.
How multifarious in this forum are references Nautical port behind, disingenuous users?
Can I bank all the facts that there is?