VULHUB ™

BUGTRAQ ID: 37357 CVE ID: CVE-2009-3703 WP-Forum是一款基于PHP的WordPress插件。 WP-Forum的wpf.class.php页面没有正确地过滤用户所提交的forum、topic和search_max参数，以及在 editpost或viewtopic操作中所提交的id参数，远程攻击者可以通过提交恶意参数请求执行SQL注入攻击。以下是有漏洞的代码段： wpf.class文件 1836 $option_max_days = $_POST['search_max']; // <- this line is not being sanitized 1837 $option_forums = $_POST['forum']; 1838 if(!$option_max_days) 1839 $option_max_days = 9999; 1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(), INTERVAL $option_max_days DAY) "; 1841 ... 1850 foreach((array)$option_forums as $f) 1851 $a .= $f.","; // <- <- this lines is not being sanitized 1852 1853 $a = substr($a, 0, strlen($a)-1 ); 1854 if(!$a) 1855 $w = ""; 1856 else 1857 $w = "IN($a)"; 1858 1859 $sql = "SELECT $this->t_threads.parent_id as pt, $this->t_posts.id, text, $this->t_posts.subject, $this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST ('$search_string') AS score 1860...

BUGTRAQ ID: 37357 CVE ID: CVE-2009-3703 WP-Forum是一款基于PHP的WordPress插件。 WP-Forum的wpf.class.php页面没有正确地过滤用户所提交的forum、topic和search_max参数，以及在 editpost或viewtopic操作中所提交的id参数，远程攻击者可以通过提交恶意参数请求执行SQL注入攻击。以下是有漏洞的代码段： wpf.class文件 1836 $option_max_days = $_POST['search_max']; // <- this line is not being sanitized 1837 $option_forums = $_POST['forum']; 1838 if(!$option_max_days) 1839 $option_max_days = 9999; 1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(), INTERVAL $option_max_days DAY) "; 1841 ... 1850 foreach((array)$option_forums as $f) 1851 $a .= $f.","; // <- <- this lines is not being sanitized 1852 1853 $a = substr($a, 0, strlen($a)-1 ); 1854 if(!$a) 1855 $w = ""; 1856 else 1857 $w = "IN($a)"; 1858 1859 $sql = "SELECT $this->t_threads.parent_id as pt, $this->t_posts.id, text, $this->t_posts.subject, $this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST ('$search_string') AS score 1860 FROM $this->t_posts inner join $this->t_threads on $this->t_posts.parent_id = $this->t_threads.id 1861 WHERE $this->t_threads.parent_id $w 1862 AND MATCH (text) AGAINST ('$search_string') $op"; 在wpf-post.php文件中： 57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned 58 $thread = $this->check_parms($_GET['t']); 59 60 $out .= $this->header(); 61 62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE id = $id"); // <- id is used without clean up 其他示例： 1490 function remove_post(){ 1491 global $user_level, $user_ID, $wpdb; 1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned 1493 $author = $wpdb->get_var("SELECT author_id from $this->t_posts where id = $id"); // id is used without clean up ... 1503 if($del == "ok"){ 1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id = $id"); <- // id is used without clean up 1505 $this->o .= "<div class='updated'>".__("Post deleted", "wpforum")."</div>"; 1506 } 1507 else 1508 wp_die(__("Cheating, are we?", "wpforum")); 1509 1510 } 此外由于没有正确的过滤$_GET['topic']，还可以清除$this->t_posts和$this->t_threads表格中的所有记录： 1479 function remove_topic(){ 1480 global $user_level, $user_ID, $wpdb; 1481 $topic = $_GET['topic']; 1482 if($this->is_moderator($user_ID, $this->current_forum)){ 1483 $wpdb->query("DELETE FROM $this->t_posts WHERE parent_id = $topic"); 1484 $wpdb->query("DELETE FROM $this->t_threads WHERE id = $topic"); 1485 } 1486 else 1487 wp_die(__("Cheating, are we?", "wpforum")); 1488 1489 } Fredrik Fahlstad WP-Forum <= 2.3 厂商补丁： Fredrik Fahlstad ---------------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.fahlstad.se/wp-plugins/wp-forum/