http://bit.ly/d38gB8, b...">[iBliss Security Advisory] Blind SQL injection vulnerabilit... - vulnerability database | Vulners.comhttp://bit.ly/d38gB8, b...">http://bit.ly/d38gB8, b...">http://bit.ly/d38gB8, b...">
Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29866
HistoryOct 02, 2013 - 12:00 a.m.

[iBliss Security Advisory] Blind SQL injection vulnerability in NOSpamPTI wordpress plugin

2013-10-0200:00:00
vulners.com
26
JSON

[ NOSpamPTI Wordpress plugin Blind SQL Injection ]

[ Vendor product description ]

NOSpamPTI eliminates the spam in your comment box so strong and free,
developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8&quot;
rel="nofollow">http://bit.ly/d38gB8&lt;/a&gt;, but some themes do not support
changes to the functions.php to this we alter this function and
available as a plugin. Make good use of this plugin and forget all the Spam.

[ Bug Description ]

NOSpamPTI contains a flaw that may allow an attacker to carry out a
Blind SQL injection attack. The issue is due to the wp-comments-post.php
script not properly sanitizing the comment_post_ID in POST data. This
may allow an attacker to inject or manipulate SQL queries in the
back-end database, allowing for the manipulation or disclosure of
arbitrary data.

[ History ]

Advisory sent to vendor on 09/09/2013
Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.

[ Impact ]

HIGH

[ Afected Version ]

2.1

[ CVE Reference]

CVE-2013-5917

[ POC ]

Payload:
POST /wordpress/wp-comments-post.php

author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1
AND SLEEP(5)&[email protected]&submit=Post Comment&url=1

[ Vulnerable code ]

$post_id = $_POST['comment_post_ID'];

load_plugin_textdomain('nospampti',
WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/');

if &#40;$hash != $challenge&#41; {
    $wpdb-&gt;query&#40;&quot;DELETE FROM {$wpdb-&gt;comments} WHERE comment_ID =

{$comment_id}");
$count = $wpdb->get_var("select count(*) from $wpdb->comments
where comment_post_id = {$post_id} and comment_approved = '1'");

[ Reference ]

[1] No SpamPTI SVN repository -
http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php
[2] Owasp - https://owasp.org/index.php/SQL_Injection
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/

iBliss Seguranca e Inteligencia - Sponsor: Alexandro Silva - Alexos

alexos (at) ibliss.com (dot) br [email concealed]

Related

patchstack 1
zdt 2
exploitpack 1
cve 1
packetstorm 1
wpvulndb 1
prion 1
openvas 1
exploitdb 1
securityvulns 1
patchstack
patchstack
WordPress NOSpamPTI Plugin - Blind SQL Injection
2013-09-23 00:00:00
zdt
zdt
Wordpress NOSpamPTI Plugin - Blind SQL Injection Vulnerability
2013-09-23 00:00:00
WordPress NOSpamPTI 2.1 Blind SQL Injection Vulnerability
2013-09-21 00:00:00
exploitpack
exploitpack
WordPress Plugin NOSpamPTI - Blind SQL Injection
2013-09-23 00:00:00
cve
cve
CVE-2013-5917
2013-09-23 10:18:00
packetstorm
packetstorm
WordPress NOSpamPTI 2.1 Blind SQL Injection
2013-09-20 00:00:00
wpvulndb
wpvulndb
NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection
2014-08-01 10:59:03
prion
prion
Sql injection
2013-09-23 10:18:00
openvas
openvas
WordPress NOSpamPTI Plugin SQLi Vulnerability - Active Check
2013-09-27 00:00:00
exploitdb
exploitdb
WordPress Plugin NOSpamPTI - Blind SQL Injection
2013-09-23 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2013-10-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:29866
patchstack1zdt2exploitpack1cve1packetstorm1wpvulndb1prion1openvas1exploitdb1securityvulns1