AOH :: HP Unsorted W :: VA1556.HTM

WP Comment Remix 1.4.3 Multiple Vulnerabilities
WP Comment Remix 1.4.3 Multiple Vulnerabilities
WP Comment Remix 1.4.3 Multiple Vulnerabilities

ChX Security |
Advisory #3   |
->    "WP Comment Remix 1.4.3 Multiple Vulnerabilities"    <-

Advisory Information |
==============Title: WP Comment Remix 1.4.3 Multiple Vulnerabilities
Author: g30rg3_x 
Advisory URL: 
Date of last update: 2008-10-13
CVE Name: --

Vulnerability Information |
=================Software: WP Comment Remix
Version: 1.4.3
From: Remote
Severity: Extremely Critical
    Manipulation of data
    Cross-Site Scripting
Type of Advisory: Full Disclosure

Software Description |
==============WP Comment Remix adds a plethora of new options and features to
Wordpress. From Reply and Quote links
for commenters, to a full upgrade to the edit comments pages in the
admin panel, WPCR will save you
time and effort when running your blog.

Vulnerability Description |
=================WP Comment Remix has multiple vulnerabilities which allow remote
attackers to conduct SQL Injection,
Cross-Site Scripting and Cross-Site Request Forgery attacks.
The SQL Injection is possible due to lack of filtration on the comment
post ID variable in the AJAX
Comments script.
The Cross-Site Scripting is possible due to lack of filtration and
escaping on several stored
The Cross-Site Request Forgery is caused by the lack of the WordPress
Nonces on the options panel form.

Technical Description |
===============* SQL Injection *
Inside the script "ajax_comments.php" (around lines 27 to 29):

$id = $_GET['p'];

$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY
comment_date DESC");
As you can see in the presented code, the value of $id is taken from
HTTP GET p variable and then $id is later used
inside the SQL Query of get_results method from the $wpdb object
(which allow WordPress plugins developers to pull
multiple row results from the database), so we can inject SQL code and
the data will later be show as comment data
on the script.

As and a example we can inject something like this:
ajax_comments.php?p=0 UNION SELECT
To obtain the MySQL user, Database name and MySQL version used on the server.

* Cross-Site Scripting *
Inside the script "wpcommentremix.php" (around lines 611 to 781)

(The next code is truncated to only show the vulnerable parts of the code)
$options['replytotext'] = $_POST['replytotext'];
$options['quotetext'] = $_POST['quotetext'];
$options['originallypostedby'] = $_POST['originallypostedby'];
$options['sep'] = $_POST['sep'];
$options['maxtags'] = $_POST['maxtags'];
$options['tagsep'] = $_POST['tagsep'];
$options['tagheadersep'] = $_POST['tagheadersep'];
$options['taglabel'] = $_POST['taglabel'];
$options['tagheaderlabel'] = $_POST['tagheaderlabel'];

... ' /> ...
-----------------------/ This variables totally lack of filtration and escaping so if we store something like this... /---------------------- 5"> _______ Solution | =====Upgrade to version 1.4.4 _______ Timeline | ======Bug Found: 16/09/2008 Vendor Contact: 20/09/2008 Vendor Response: 23/09/2008 Public Disclosure: 13/10/2008 ChX Security (c) 2008 -- Original:

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to