___________ ChX Security | Advisory #3 | ========== -> "WP Comment Remix 1.4.3 Multiple Vulnerabilities" <- _________________ Advisory Information | =============== Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities Author: g30rg3_x <g30rg3x_at_chxsecurity_dot_org> Advisory URL: http://chxsecurity.org/advisories/adv-3-full.txt Date of last update: 2008-10-13 CVE Name: -- ____________________ Vulnerability Information | ================== Software: WP Comment Remix Version: 1.4.3 From: Remote Severity: Extremely Critical Impact: Manipulation of data Cross-Site Scripting Type of Advisory: Full Disclosure _________________ Software Description | =============== WP Comment Remix adds a plethora of new options and features to Wordpress. From Reply and Quote links for commenters, to a full upgrade to the edit comments pages in the admin panel, WPCR will save you time and effort when running your blog. ____________________ Vulnerability Description | ================== WP Comment Remix has multiple vulnerabilities which allow remote attackers to conduct SQL Injection, Cross-Site Scripting and Cross-Site Request Forgery attacks. The SQL Injection is possible due to lack of filtration on the comment post ID variable in the AJAX Comments script. The Cross-Site Scripting is possible due to lack of filtration and escaping on several stored options. The Cross-Site Request Forgery is caused by the lack of the WordPress Nonces on the options panel form. __________________ Technical Description | ================ * SQL Injection * Inside the script "ajax_comments.php" (around lines 27 to 29): /--------------------- $id = $_GET['p']; $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date DESC"); ----------------------/ As you can see in the presented code, the value of $id is taken from HTTP GET p variable and then $id is later used inside the SQL Query of get_results method from the $wpdb object (which allow WordPress plugins developers to pull multiple row results from the database), so we can inject SQL code and the data will later be show as comment data on the script. As and a example we can inject something like this: /---------------------- ajax_comments.php?p=0 UNION SELECT 1,2,user(),4,5,6,7,8,CONCAT(database(),0x3C62723E,version()),10,11,12,13,14,15 -- -----------------------/ To obtain the MySQL user, Database name and MySQL version used on the server. * Cross-Site Scripting * Inside the script "wpcommentremix.php" (around lines 611 to 781) (The next code is truncated to only show the vulnerable parts of the code) /---------------------- $options['replytotext'] = $_POST['replytotext']; ... $options['quotetext'] = $_POST['quotetext']; $options['originallypostedby'] = $_POST['originallypostedby']; $options['sep'] = $_POST['sep']; $options['maxtags'] = $_POST['maxtags']; ... $options['tagsep'] = $_POST['tagsep']; $options['tagheadersep'] = $_POST['tagheadersep']; $options['taglabel'] = $_POST['taglabel']; $options['tagheaderlabel'] = $_POST['tagheaderlabel']; ... <input type="text" name="replytotext" value="<?=$options['replytotext']?>"><br/> ... <input type="text" name="quotetext" value="<?=$options['quotetext']?>"><br/> ... <input type="textbox" name="originallypostedby" value='<?=$options['originallypostedby'];?>' /> ... <input type="text" name="sep" value="<?=$options['sep']?>"><br/> ... <input type="text" name="taglabel" value="<?=$options['taglabel']?>"><br/> ... <input type="text" name="tagsep" value="<?=$options['tagsep']?>"><br/> ... <input type="text" name="maxtags" value="<?=$options['maxtags']?>"><br/> ... <input type="text" name="tagheaderlabel" value="<?=$options['tagheaderlabel']?>"><br/> ... <input type="text" name="tagheadersep" value="<?=$options['tagheadersep']?>"><br/> -----------------------/ This variables totally lack of filtration and escaping so if we store something like this... /---------------------- 5"><script>alert(String.fromCharCode(88,83,83));</script><input type=hidden name=foo id=" -----------------------/ When the data is retreived to be show on the dashboard options panel then the "bad code" is rendered and the attack is conducted. NOTE: There are some input variables (like replytotext) that are also rendered to the public viewers, so is possibly to inject "malicious code" outside of the dashboard options panel of the plugin. * Cross-Site Request Forgery * The form generated by the wpcr_do_options_page function (wpcommentsremix.php at line 585) totally lacks from the WP Nonces (which prevent this type of attacks) and only uses on a simple hidden input named "wpcr_hidden_form_input" with a value of "1". And since this and a "attacker" can force a user to submit data to the form; this combined with and a Cross-Site Scripting vulnerability (which was discussed previously) can turn this vulnerability very dangerous. ______________ Proof of Concept | ============= Can be downloaded from here: http://chxsecurity.org/proof-of-concepts/wp-comment-remix-143.zip _______ Solution | ====== Upgrade to version 1.4.4 _______ Timeline | ======= Bug Found: 16/09/2008 Vendor Contact: 20/09/2008 Vendor Response: 23/09/2008 Public Disclosure: 13/10/2008 ChX Security http://chxsecurity.org/ (c) 2008 -- Original: http://chxsecurity.org/advisories/adv-3-full.txt
