Jump to content
KhiZaRix

WordPress Tune Library 1.5.4 SQL Injection

By KhiZaRix, in Exploituri

Recommended Posts

KhiZaRix Newbie

KhiZaRix

Posted
Posted 


=======================================================================
              title: SQL Injection
            product: WordPress Tune Library Plugin
 vulnerable version: 1.5.4 (and probably below)
      fixed version: 1.5.5
         CVE number: CVE-2015-3314
             impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
           homepage: https://wordpress.org/plugins/tune-library/
              found: 2015-01-09
                 by: Hannes Trunde

               mail: hannes.trunde@gmail.com
            twitter: @hannestrunde

=======================================================================


Plugin description:
-------------------
"This plugin is used to import an XML iTunes Music Library file into your 
WordPress database. Once imported, you can display a complete listing of your 
music collection on a page of your WordPress site."

Source: [url]https://wordpress.org/plugins/tune-library/[/url]


Recommendation:
---------------
The author has provided a fixed plugin version which should be installed 
immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a sql injection attack can be
performed when sorting artists by letter.

However, special conditions must be met in order to exploit this vulnerability:
1) The wordpress security feature wp_magic_quotes(), which is enabled by 
   default, has to be disabled.
2) The plugin specific option "Filter artists by letter and show alphabetical
   navigation" has to be enabled.


Proof of concept:
-----------------
The following HTTP request to the Tune Library page returns version, current 
user and db name:
===============================================================================
[url]http://www.site.com/?page_id=2&artistletter=G[/url]' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
===============================================================================


Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-09: Author replies and announces a fix within a week.
2015-04-12: Mail from author, stating that plugin has been updated.
2015-04-14: Requesting CVE via post to the open source software security mailing 
            list: [url]http://openwall.com/lists/oss-security/2015/04/14/5[/url]
2015-04-20: Release of security advisory.


Solution:
---------
Update to the most recent plugin version.


Workaround:
-----------
Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by
letter..." option.

Source: http://packetstorm.wowhacker.com/1504-exploits/wptunelibrary154-sql.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...