Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Larry W. Cashdollar <larry0-BUHhN+a2lJ4 <at> public.gmane.org>
Subject: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8
Newsgroups: gmane.comp.security.oss.general
Date: Saturday 28th November 2015 18:05:57 UTC (over 2 years ago)
Title: SQL injection in wordpress plugin double-opt-in-for-download v2.0.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-11-24
Download Site: https://wordpress.org/plugins/double-opt-in-for-download/
Vendor: https://profiles.wordpress.org/andyba45/

http://www.labwebdesigns.com
Vendor Notified: 2015-11-24
Vendor Fixed: 2015-11-24 in v2.0.9
Description: Capture visitors names and email addresses by offering FREE
downloads to your visitors in exchange for their email address with our
Double Opt-In Plug
Vulnerability:
The file 
double-opt-in-for-download/public/includes/class-doifd-download.php the 
lines 61 & 110:

38                 $ver = $_GET[ 'ver' ];
.
.
61                     $checkallowed = $wpdb->get_row ( "SELECT 
doifd_downloads    _allowed FROM " . $wpdb->prefix . 
"doifd_lab_subscribers  WHERE doifd_verifi    cation_number = '$ver' " );
.
.
110                             $wpdb->query (
111                                     "
112                         UPDATE $wpdb->doifd_subscribers
113                         SET doifd_downloads_allowed = 
doifd_downloads_allowe    d+1 WHERE doifd_verification_number = '$ver'
114                     "
115                             );

Allows Blind SQL injection at the $ver parameter as it is not properly 
sanitized or passed through a prepare() function first.

In file 
double-opt-in-for-download/public/includes/class-doifd-landing-page.php 
line 71 allows for SQL injection via the $ver parameter.

  26     public function getVerification() {
  27         $this->verification = $_GET[ 'ver' ];
  28         return $this->verification;
  29     }
.
.

  71         $sql = "SELECT *
  72                 FROM {$wpdb->prefix}doifd_lab_subscribers
  73                 INNER JOIN {$wpdb->prefix}doifd_lab_downloads
  74                 ON 
{$wpdb->prefix}doifd_lab_downloads.doifd_download_id = {$ 
wpdb->prefix}doifd_lab_subscribers.doifd_download_id
  75                 WHERE doifd_verification_number = 
'$this->verification'";
  76
  77         $this->data = $wpdb->get_row( $sql, ARRAY_A );
CVEID: 2015-7517
Advisory: http://www.vapidlabs.com/advisory.php?v=157
 
CD: 3ms