Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 28 Nov 2015 13:05:57 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: oss-security@...ts.openwall.com
Subject: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8

Title: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-11-24
Download Site: https://wordpress.org/plugins/double-opt-in-for-download/
Vendor: https://profiles.wordpress.org/andyba45/ 
http://www.labwebdesigns.com
Vendor Notified: 2015-11-24
Vendor Fixed: 2015-11-24 in v2.0.9
Description: Capture visitors names and email addresses by offering FREE
downloads to your visitors in exchange for their email address with our
Double Opt-In Plug
Vulnerability:
The file 
double-opt-in-for-download/public/includes/class-doifd-download.php the 
lines 61 & 110:

38                 $ver = $_GET[ 'ver' ];
.
.
61                     $checkallowed = $wpdb->get_row ( "SELECT 
doifd_downloads    _allowed FROM " . $wpdb->prefix . 
"doifd_lab_subscribers  WHERE doifd_verifi    cation_number = '$ver' " );
.
.
110                             $wpdb->query (
111                                     "
112                         UPDATE $wpdb->doifd_subscribers
113                         SET doifd_downloads_allowed = 
doifd_downloads_allowe    d+1 WHERE doifd_verification_number = '$ver'
114                     "
115                             );

Allows Blind SQL injection at the $ver parameter as it is not properly 
sanitized or passed through a prepare() function first.

In file 
double-opt-in-for-download/public/includes/class-doifd-landing-page.php 
line 71 allows for SQL injection via the $ver parameter.

  26     public function getVerification() {
  27         $this->verification = $_GET[ 'ver' ];
  28         return $this->verification;
  29     }
.
.

  71         $sql = "SELECT *
  72                 FROM {$wpdb->prefix}doifd_lab_subscribers
  73                 INNER JOIN {$wpdb->prefix}doifd_lab_downloads
  74                 ON 
{$wpdb->prefix}doifd_lab_downloads.doifd_download_id = {$ 
wpdb->prefix}doifd_lab_subscribers.doifd_download_id
  75                 WHERE doifd_verification_number = 
'$this->verification'";
  76
  77         $this->data = $wpdb->get_row( $sql, ARRAY_A );
CVEID: 2015-7517
Advisory: http://www.vapidlabs.com/advisory.php?v=157

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ