Headline
CVE-2012-10009: Check for sql injection by '"; · wp-plugins/404like@2c4b589
A vulnerability was found in 404like Plugin up to 1.0.2. It has been classified as critical. Affected is the function checkPage of the file 404Like.php. The manipulation of the argument searchWord leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is 2c4b589d27554910ab1fd104ddbec9331b540f7f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-223404.
@@ -3,7 +3,7 @@ Plugin Name: 404Like Plugin URI: http://www.gnetos.de/projekte/404Like Description: Es wird keine 404 Fehlermeldung ausgegeben, sondern nach ähnlichen Seiten gesucht und auf eventuelle Treffer weitergeleitet oder eine Liste möglicher Treffer ausgegeben / It is not issued any 404 error message, but looking for similar sites and forwarded to any results or output a list of possible matches Version: 1.0 Version: 1.0.2 Author: Tobias Gafner Author URI: http://www.gnetos.de License: GPL2 @@ -28,16 +28,18 @@ * Search function */ function findPostWhereLikeNameTitle($title = “”) { $title = strtolower($title); $where .= " (post_type = ‘post’ OR post_type = ‘page’) AND post_status = ‘publish’ AND (post_name like ‘%".$title."%’ OR post_title like ‘%".$title."%’)"; post_status = ‘publish’ AND (LOWER(post_name) like ‘%".$title."%’ OR post_title like ‘%".$title."%’)"; return $where; } /** * Search function */ function findPostWhereLike($title = “”) { $title = strtolower($title); $where = " (post_type = ‘post’ OR post_type = ‘page’) AND post_status = ‘publish’ AND (post_title like ‘%".$title."%’)"; post_status = ‘publish’ AND (LOWER(post_title) like ‘%".$title."%’)"; return $where; } /** @@ -52,11 +54,15 @@ function findPostWhereLike($title = “”) { */ function checkPage() { global $wpdb;
if ( !is_404() ) return;
$urltext = $_SERVER[‘REQUEST_URI’]; //$urltexta = substr($urltext,1); $urltext = trim($urltext); //Letztes / loeschen //schuetzen $urltext = htmlspecialchars($urltext); if(strlen($urltext) != 0) { //Letztes Zeichen ist ? @@ -66,16 +72,22 @@ function checkPage() { //Letztes von xxx/xxxx/xxx ist interessant $searchWord = substr (strrchr ($urltext, “/”), 1); //SQL $searchWord = stripslashes($searchWord); $searchWord = str_replace ("’", "", $searchWord); $searchWord = str_replace ('"’, "", $searchWord); $searchWord = str_replace (';’, "", $searchWord); $querystr = "SELECT * FROM $wpdb->posts WHERE ".findPostWhereLike($searchWord); $pageposts = $wpdb->get_col($querystr); if ($pageposts) { ob_start(); if (count($pageposts) == 1) {
if (count($pageposts) == 1 || ($searchWord == “404Like” || $searchWord == “404like”)) { foreach ($pageposts as $id) { $url = get_permalink($id); echo $inhalt; wp_redirect($url,301); // Okay, stop. break; }
wp_reset_query(); @@ -112,7 +124,7 @@ function new404ErrorPage() { $pageposts = $wpdb->get_col($querystr); if ($pageposts) { //Ausgabe echo '<div id="errorresults"><h2 class="twost">Folgendes Gesucht ?</h2><ul>’; echo ‘<div id="errorresults"><h2 class="twost">’.__(“Folgendes Gesucht”).’ ?</h2><ul>’; foreach ($pageposts as $id) { $post_id_7 = get_post($id); $url = get_permalink($id); @@ -125,4 +137,13 @@ function new404ErrorPage() { wp_reset_query(); } }
function plugin404Like_filter($redirect, $request) {
if ( is_404() ) {return false;} return $redirect; }
add_action( 'template_redirect’, ‘checkPage’ ); add_filter( 'redirect_canonical’, 'plugin404Like_filter’, 10, 2 ); ?>