Full Disclosure mailing list archives
Re: Wordpress plugin 'Analytics360'- authenticated user sql injection
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Mon, 1 Mar 2010 17:27:12 +0100
OK, well - before I get 10000 replies: the question was a rhetoric one. 2010/3/1 Benji <me () b3nji com>
http://crowdfavorite.com/ loads fine here. On Mon, Mar 1, 2010 at 4:03 PM, Jan G.B. <ro0ot.w00t () googlemail com>wrote:Hi there, I just noticed that authenticated users for the admin area of a wordpress blog may inject code into database queries, when the plugin "Analytics360" is activated. ### BASIC INFORMATION ### Plugin Name: Analytics360 Plugin URI: http://www.mailchimp.com/wordpress_analytics_plugin/?pid=wordpress&source=website Author: Crowd Favorite Author URI: http://crowdfavorite.com ### Affected Version ### Analytics360 v.1.2 (and earlier Versions, I guess…) ### Risk ### Well, I can't classify this. When you're not insane, you shouldn't have people as admins, who inject code into the database queries. But, when you have such admins, or your WP-Login is collected by phishing or something alike, your db server and data may be at risk. It all depends on your setup and permissions. However, the bug is easy to fix and so it should be fixed. http://codex.wordpress.org/Function_Reference/wpdb_Class#Run_Any_Query_on_the_Database ### DETAILS ### The code contains this evil part in analytics360.php: -------- case 'get_wp_posts': add_filter('posts_where', create_function( '$where', 'return $where." AND post_date >= \''.$_GET['start_date'].'\' AND post_date < \''.$_GET['end_date'].'\'";' )); -------- ### Disclosure Timeline ### You're the first to know. Anyone is able to telnet crowdfavorite.com:80 ? As I'm writing this, the site is unresponsive. So this is what happens when you include a website as contact information: you don't get the message. Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wordpress plugin 'Analytics360'- authenticated user sql injection Jan G.B. (Mar 01)
- Re: Wordpress plugin 'Analytics360'- authenticated user sql injection Benji (Mar 01)
- Re: Wordpress plugin 'Analytics360'- authenticated user sql injection Jan G.B. (Mar 01)
- Re: Wordpress plugin 'Analytics360'- authenticated user sql injection Jan G.B. (Mar 02)
- Re: Wordpress plugin 'Analytics360'- authenticated user sql injection Benji (Mar 01)