ITAS Team discovered a SQL Injection vulnerability in YourMembers WordPress plugin

ITAS Team discovered a SQL Injection vulnerability in YourMembers WordPress plugin

YourMembers plugin (https://github.com/YourMembers/yourmembers/tree/master/ym_trunk) contains a flaw that may allow carrying out a blind SQL injection attack. The issue is due to the ym_trunk/includes/ym-download_functions.include.php script not properly sanitizing user-supplied input to the ‘ym_download_id’ parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Vulnerability information:
– Vulnerability : SQL injection
– Vendor : YourMembers (https://github.com/YourMembers)
– Link download : https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
– Affected version: Version 3
– Fix version: N/A
– Discovered by: Trần Đình Tiến – tien.d.tran@itas.vn and ITAS Team

Vulnerability Details:
Vulnerable file: ym_trunk/includes/ym-download_functions.include.php
Vulnerable code: (Line: 313 -> 329)

function ym_get_download($id=false) {
global $wpdb, $ym_dl_db;
$row = new stdClass();
$row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user = false;
if ($id) {
$sql = ‘SELECT id, title, filename, postDate, members, user
FROM ‘ . $ym_dl_db . ‘
WHERE id = ‘ . $id;
$row = $wpdb->get_row($sql);
}
return $row;
}

Information disclosure:
– 27/08/2014 : Discovered Vulnerability
– 14/10/2014 : ITAS Team publishes information

Reference:
– http://www.exploit-db.com/exploits/34968/
– http://osvdb.org/show/osvdb/113305

/ Blog / Tags: , ,