Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress. According to the Secunia Advisory:

Input passed to the “id” parameter in functions/editevent.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Users with a malicious intent can conduct SQL injection attacks which may result in the retrieval of usernames, password hashes, and email addresses for users and administrators. However, the malicious user must have knowledge of the database table prefix.

So far, version 0.3 has been confirmed as having this vulnerability with other versions possibly being affected. Secunia states that the solution involves editing the source code to ensure that input is properly sanitised.

Click here to read the original advisory which provides an example of the exploit as well as the vulnerable code.

It is strongly advised that if you are using this plugin, to disable it’s functionality until a patch is published.

The other security bulletin deals with the AdServe Plugin.

A person who goes by the handle “enter_the_dragon” has discovered a vulnerability within the Adserve Plugin version 0.2 for WordPress. The vulnerability can allow malicious users to conduct SQL injection attacks that can result in the retrieval of usernames, password hashes, and the like. Just like the other SQL injection vulnerabilities, knowledge of the table prefix is required to perform these attacks. According to the security bulletin:

Input passed to the “id” parameter in adclick.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

You can check out the original bulletin containing a detailed description of the problem as well as an example of the exploit by clicking here. As with any plugin that experiences a security bulletin, it is strongly encouraged that you disable the plugin in question until a patch is released.

Read it at the source

This entry was posted on Thursday, January 31st, 2008 at 2:30 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.