Release date:
Updated on:
Affected Systems:
WordPress Hitasoft FLV Player Plugin 1.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56418
WordPress is a Blog (Blog, Blog) engine developed using the PHP language and MySQL database. you can create your own Blog on servers that support PHP and MySQL databases.
WordPress FLV Player Plug-in 1.1 and other versions have the SQL injection vulnerability. The "id" parameter is sent to wp-content/plugins/hitasoft_player/config. if php input is incorrectly filtered, it is used in SQL queries. By injecting SQL code, you can operate SQL queries.
<* Source: Ashiyane Digital Security Team
Link: http://secunia.com/advisories/51179/
Http://dl.packetstormsecurity.net/1211-exploits/wphitasoft-sql.txt
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-content/plugins/hitasoft_player/config.php? Id = 1% 20 union % 20all % 20 select
%, User_login, from wp_users --
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://wordpress.org/