WordPress Users Ultra Plugin [Blind SQL injection] - Update

From: Panagiotis Vagenas <pan.vagenas@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: WordPress Users Ultra Plugin [Blind SQL injection] - Update
Date:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description
================================================================================

One can perform an SQL injection attack simply by exploiting the
following WP ajax actions:

1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`

POST parameters that are exploitable in each action respectively:

1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`

In case #7 a user can also change the gallery name, description and
visibility by setting POST parameters `gal_name`, `gal_desc` and
`gal_visibility` respectively.

In case #8 `photo_id` is first casted to integer and a query to DB is
performed. If results are returned then for each result a new query is
performed without casting the `photo_id` to integer. So if an attacker
knows a valid video id then it can perform the attack in the second
query. This achievable because `<?php (int)'1 and sleep(5)' === 1; ?>

In case #9 a user can also change the photo name, description, tags and
category by setting POST parameters `photo_name`, `photo_desc`,
`photo_tags` and `photo_category` respectively.

In case #10 a user can also change the video name, unique id and type by
setting POST parameters `video_name`, `video_unique_id` and `video_type`
respectively.

Because function wpdb::get_results() and wpdb::query() are in use here,
only one SQL statement can be made per request. This holds severity of
the attack low.
In addition all actions are privileged so the user must have an active
account in vulnerable website, in order to perform the attack.


PoC
================================================================================

Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=edit_video&video_id=1 and sleep(5) `

Timeline
================================================================================

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/12/08 - Vendor provided new version 1.5.63 which resolves issues

Solution
================================================================================
 
Upgrade to version 1.5.63
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJWZ2ZhAAoJEBe10gGXVLphzFUP/3CkzkaF9sQgl3hZo2QaWzsu
kq43dBtVDQZjBQp5Qs2JqFYO7yc9FWRSZyD38CrWWtCwqK8DlMFxZYoAqwt45lEx
lYxiOUCO98BXeAUXy/DeS+gY2dgnt0FvC0SKpN59OS95Nn6EBaCcKCczavn46zxm
rPGr7GzORO7wqObgL16Rew98hmVsf+nYwFNvMBfq7NQIZQzD065S7dQKt33PNjey
u4/I3HFW7tKljVdait+LObfvLTA/TAxeFDRQhM5uRN2UGBBU5AWHwZK4JeayEaw4
i3MJPe6ZggXn3BMdrBzuySvMWuX8cEwMzJW9dKzwOz+97iZYiS5UFGH3PbT2VV0Y
It/uFdnqn6Z+f7rLRQdYpHImivkRirX6YgJ9gbT7ZqTJwrF2cTGykl8qkcddkSwU
Tt517YGXrw/8fgzRRH0/sRoK2JFq/V+pr6ksOEi/ppKdQrQaz+Kuy4lUglgN7NtC
Vlyma9GQnkPl5IAbCT18dNv8p6PcR4zcU0bKZufW2bfnEoaXVsL1vjjZ9oz9xAwX
q6i/4cGKsG7KwcSBqUNOw3SAXJjqBJhHQHrTw2TIb3bHLUh8/fGvCqQsRhfPUAf0
uAkfBQ5fXjtaKQcXif2LwjSgsaVhaiJY4Fp946mPn7E32jEswdcKrpaBA9WoPGgG
OJG27/ImQ9GJuXQV/uFW
=Fpqd
-----END PGP SIGNATURE-----





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.