The second plugin that will be dissected is called Podlove Publisher, a Wordpress plugin to manage podcasts. It suffered from multiple SQL injections and cross-site scripting vulnerabilities (funnily enough also in a parameter named tab) that are fixed by now. The SQL injections were all caused by the following code. lib/settings/feed.php private function save() { $feed = \Podlove\Model\Feed::find_by_id( $_REQUEST[‘feed’] ); $feed->update_attributes( $_POST[‘podlove_feed’] ); lib/model/base.php line 55~60 public function update_attributes( $attributes ) { ⋮ foreach ( $attributes as $key => $value ) $this->{$key} = $value; ⋮ return $this->save(); line 323~348 public function save() { global $wpdb; if ( $this->is_new() ) { $this->set_defaults(); $sql = 'INSERT INTO ' . static::table_name() . ' ( ' . implode( ',', self::property_names() ) . ' ) ' . 'VALUES' . ' ( ' . implode( ',', array_map( array( $this, 'property_name_to_sql_value' ), self::property_names() ) ) . ' );' ; $success =...
The second plugin that will be dissected is called Podlove Publisher, a Wordpress plugin to manage podcasts. It suffered from multiple SQL injections and cross-site scripting vulnerabilities (funnily enough also in a parameter named tab) that are fixed by now. The SQL injections were all caused by the following code. lib/settings/feed.php private function save() { $feed = \Podlove\Model\Feed::find_by_id( $_REQUEST[‘feed’] ); $feed->update_attributes( $_POST[‘podlove_feed’] ); lib/model/base.php line 55~60 public function update_attributes( $attributes ) { ⋮ foreach ( $attributes as $key => $value ) $this->{$key} = $value; ⋮ return $this->save(); line 323~348 public function save() { global $wpdb; if ( $this->is_new() ) { $this->set_defaults(); $sql = 'INSERT INTO ' . static::table_name() . ' ( ' . implode( ',', self::property_names() ) . ' ) ' . 'VALUES' . ' ( ' . implode( ',', array_map( array( $this, 'property_name_to_sql_value' ), self::property_names() ) ) . ' );' ; $success = $wpdb->query( $sql ); if ( $success ) { $this->id = $wpdb->insert_id; } } else { $sql = 'UPDATE ' . static::table_name() . ' SET ' . implode( ',', array_map( array( $this, 'property_name_to_sql_update_statement' ), self::property_names() ) ) . ' WHERE id = ' . $this->id ; $success = $wpdb->query( $sql ); } The author tried to save some work by dynamically setting properties of the model from user input, called mass-assignment. The idea is not bad in general, but care should be taken when every property of an object can be tainted with user input, even properties that are not supposed to be set by the user, like the `id`. Usually, the ID is supposed to be an integer value that stems from `insert_id`, but the mass-assignment allows an attacker to overwrite and use it to extend the SQL query and retrieve sensitive information from the database. All other properties are escaped by `property_name_to_sql_update_statement()`。 On a positive note, all vulnerabilities in this plugin were fixed very fast and a secure version was available after only 2 days. This was one of the fastest responses we experienced so far, so if you are searching for a Wordpress podcast plugin, give it a try.
