Wordpress plugins - bbpress Multiple Vulnerabilities

vendor:

bbpress

by:

Dark-Puzzle (Souhail Hammou)

CVSS

CRITICAL

SQL Injection, Full Path Disclosure, Directory Listing

89, 200, 522

CWE

Product Name: bbpress

Affected Version From: All Versions

Affected Version To: All Versions

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Xp Sp2, Backtrack 5 R3

N/A

WordPress plugins – bbpress Multiple Vulnerabilities

bbpress plugin is prone to an SQL injection Vulnerability. In cases when you face a valid string column problem try to change syntax or instead spaces add /**/. The Full Path Disclosure vulnerability in bbpress is via Array. Directory Listing Vulnerability can be exploited by accessing the bb-templates directory.

Mitigation:

Ensure that user input is validated and filtered properly. Use parameterized queries to prevent SQL injection. Ensure that the web server is configured to not display directory listings.

Source

Exploit-DB raw data:

# Souhail Hammou - Independant Security Researcher & Penetration Tester .
# Facebook : www.facebook.com/dark.puzzle.sec
# Website : www.dark-puzzle.com
# Youtube : http://www.youtube.com/user/mariotrey
# E-mail   : dark-puzzle@live.fr
# Greetings to all moroccan researchers and white hats .
====================================================
# Exploit Title: Wordpress plugins - bbpress Multiple Vulnerabilities
# Author: Dark-Puzzle (Souhail Hammou)
# OSVDB ID : 86400 & 86399 .
# Vendor Website : www.bbpress.ru  /  www.bbpress.com
# Risk : Critical
# Version: All Versions
# Google Dork : N/A
# Category: Webapps/0day
# Tested on: Windows Xp Sp2 , Backtrack 5 R3 .
----------------------------------------------------
I - SQL Injection Vulnerability :
----------------------------------------------------
bbpress plugin is prone to an SQL injection Vulnerability .
In cases when you face a valid string column problem try to change syntax or instead spaces add /**/ .

Note: Automated injection can be more effective in this case.

Example : 

http://www.example.com/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject here] 

---------------------------------------------------
II - Full Path Disclosure Vulnerability :
---------------------------------------------------

The Full Path Disclosure vulnerability in bbpress is via Array .

Example :

www.example.com/path/bbpress/topic.php?id[]=12&replies=3

Error : Warning: urlencode() expects parameter 1 to be string, array given in /Full/Path/Here on line 786

---------------------------------------------------
III - Directory Listing Vulnerability :
---------------------------------------------------

www.example.com/PATH/bbpress/bb-templates/kakumei/
www.example.com/PATH/bbpress/bb-templates/kakumei-blue/

#Dark-Puzzle