[Full-disclosure] Multiple Vulnerabilities in Mingle Forum (WordPress Plugin)
uuf6429 at gmail.com
Sat Jan 8 15:37:02 GMT 2011
Wait, the developer fixed the plugin before he got the initial email?
12/17/2010 Initial email sent to plugin maintainer.
01/01/2010 Received response from plugin maintainer.
On Sat, Jan 8, 2011 at 4:21 PM, Charles Hooper <chooper at plumata.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 1. Advisory Information
> Title: Multiple Vulnerabilities in Mingle Forum (WordPress Plugin)
> Advisory URL: http://www.charleshooper.net/advisories/
> Date Published: January 8th, 2011
> Vendors Contacted: Paul Carter - Maintainer of plugin.
> 2. Summary
> Mingle Forum is a plugin for the popular blog tool and publishing
> platform, WordPress. According to the author of Mingle Forum, "Mingle
> Forum has been modified to be lightweight, solid, secure, quick to
> setup, [and] easy to use."
> There exist multiple vulnerabilities in Mingle Forum, SQL injection
> being among them.
> 3. Vulnerability Information
> Packages/Versions Affected: Confirmed on 1.0.24 and 1.0.26
> 3a. Type: SQL Injection [CWE-89]
> 3a. Impact: Read application data.
> 3a. Discussion: There is a SQL injection vulnerability present in the
> RSS feed generator. By crafting specific URLs an attacker can retrieve
> information from the MySQL database.
> 3b. Type: SQL Injection [CWE-89]
> 3b. Impact: Read application data.
> 3b. Discussion: There is a SQL injection vulnerability present in the
> `edit post` functionality. By crafting specific URLs an attacker can
> retrieve information from the MySQL database.
> 3c. Type: Auth Bypass via Direct Request [CWE-425]
> 3c. Impact: AuthZ is not performed for `edit post` functionality.
> 3c. Discussion: By browsing directly to the `edit post` page a user can
> view and edit any page.
> 4. PoC & Technical Description
> 4c. http://path.to/forums/?mingleforumaction=editpost&t=1.0&id=<target
> post ID>
> 5. Report Timeline
> 12/17/2010 Initial email sent to plugin maintainer.
> 12/22/2010 Confirmation of first email requested.
> 12/31/2010 Correct email address obtained. Maintainer contacted again on
> this date.
> 01/01/2010 Received response from plugin maintainer.
> 01/07/2010 Plugin maintainer releases update that addresses these
> 6. References
> 6a. The WordPress Plugin page for Mingle Forum:
> 7. Legalese
> This vulnerability report by Charles Hooper < chooper at plumata.com > is
> licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
> 3.0 Unported License.
> 8. Signature
> Public Key: Obtainable via pool.sks-keyservers.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.