Title: SQL Injection in Wordpress plugin surveys v1.01.8 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-05-21 |
CVE-ID:[CVE-2017-1002020][CVE-2017-1002021][CVE-2017-1002022] |
CWE: |
Download Site: https://wordpress.org/plugins/surveys/ |
Vendor: http://www.binnyva.com/ |
Vendor Notified: 2017-05-22 |
Vendor Contact: binnyva@gmail.com |
Advisory: http://www.vapidlabs.com/advisory.php?v=193 |
Description: The Surveys WordPress plugin lets you add surveys to your blog. You can let the visitors take surveys and see the result from the admin side. |
Vulnerability: CVE-2017-1002020:
The following code in survey_form.php does not sanitize $_REQUEST['action'] before placing it inside of an SQL query:
10: $survey_details = $wpdb->get_row("SELECT name,description,status FROM {$wpdb->prefix}surveys_survey WHERE ID=$_REQUEST[survey]");
CVE-2017-1002021:
The following code in individual_responses.php does not sanitize input from $survey_id or $_REQUEST[result] before placing it inside of an SQL query:
5 $survey_id = $_REQUEST['survey'];
6 $survey_details = $wpdb->get_row("SELECT ID, name FROM {$wpdb->prefix}surveys_survey WHERE ID=$survey_id");
7
8 if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'delete') {
9 $wpdb->query("DELETE FROM {$wpdb->prefix}surveys_result_answer WHERE result_ID=$_REQUEST[result]");
10 $wpdb->query("DELETE FROM {$wpdb->prefix}surveys_result WHERE ID=$_REQUEST[result]");
CVE-2017-1002022:
In questions.php $_REQUEST[survey] is injectable as it is passed directly into the SQL statement:
94 $all_question = $wpdb->get_results("SELECT Q.ID,Q.question,(SELECT COUNT(*) FROM {$wpdb->prefix}surveys_answer WHERE question_id=Q.ID) AS answer_count
95 FROM {$wpdb->prefix}surveys_question AS Q
96 WHERE Q.survey_id=$_REQUEST[survey]");
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory