Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 06 Sep 2015 16:43:04 -0400
From: Larry Cashdollar <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE Request Blind SQL Injection in wordpress plugin
 dukapress v2.5.9

Hello,
Any progress with this request? 
Thanks!
-larry

> On Aug 22, 2015, at 6:48 AM, Larry W Cashdollar <larry0@...com> wrote:
> 
> Hello,
> May I have a CVE for this vulnerability?
> 
> Title: Blind SQL Injection in wordpress plugin dukapress v2.5.9
> Author: Larry W. Cashdollar, @_larry0
> Date: 2015-08-04
> Download Site: http://wordpress.org/plugins/dukapress/
> Vendor: dukapress.org
> Vendor Notified: 2015-08-07, fixed in v2.5.9.1
> Vendor Contact: https://twitter.com/moshthepitt
> Description: DukaPress is open source software that can be used to build online shops quickly and easily. DukaPress is built on top of WordPress, a world class content management system. DukaPress is built to be both simple and elegant yet powerful and scalable.
> Vulnerability:
> The code in dukapress/download.php does not sanitize user input before passing it to query() allowing SQL to be injected.  The user is not required to be logged into wordpress in order to exploit this vulnerability.
> 
> 
> 9:$sql = "SELECT saved_name, real_name, count, TIMESTAMPDIFF(SECOND,sent_time,NOW()) as time_diff FROM `{$table_name2}` WHERE saved_name='{$_GET['id']}'";
> .
> .
> .
> 
> 26:    $wpdb->query("UPDATE {$table_name2} SET count={$download_count} WHERE saved_name='{$_GET['id']}'");
> 
> Advisory: http://www.vapid.dhs.org/advisory.php?v=152

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.