WordPress WP E-Commerce 3.8.9 SQL Injection / Cross Site Scripting

WordPress WP E-Commerce 3.8.9 SQL Injection / Cross Site Scripting
Software: WP e-Commerce
Software Language: PHP
Version: 3.8.9 and below
Vendor Status: Vendor contacted
Release Date: 2012-11-12
Risk: High
 
 
 
1. General Overview
===================
During the security audit of WP E-Commerce plugin for WordPress CMS,
multiple vulnerabilities were discovered using DefenseCode ThunderScan
PHP web application source code security analysis platform.
More information about ThunderScan PHP is available at URL:
http://www.defensecode.com/subcategory/thunderscan-8
 
Detailed report for each vulnerability can be found in the following PDF
report:
http://www.defensecode.com/public/wp-e-commerce_security_audit_final_report.pdf
 
Report has been generated by ThunderScan PHP Web Application Source Code
Security Analysis.
 
 
2. Software Overview
===================
WP e-Commerce is a popular e-commerce plugin for WordPress. Users can
use it to to sell products, downloads or services online. It has more
than 2 Million downloads on wordpress.org.
 
Homepage:
http://wordpress.org/extend/plugins/wp-e-commerce/
http://getshopped.org/
 
 
3. Brief Vulnerability Description
==================================
During the security analysis, ThunderScan PHP discovered multiple SQL
Injection and Cross Site Scripting vulnerabilities in WP e-Commerce plugin.
 
3.1. SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function: get_results($sql)
Variable: $_POST['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 699 wp-e-commerce\wpsc-core\wpsc-deprecated.php
 
3.2 SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function: get_results( $sql )
Variable: $_POST['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 681 wp-e-commerce\wpsc-core\wpsc-deprecated.php
 
3.3 SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function: get_results( $sql )
Variable: $_GET['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 525 wp-e-commerce\wpsc-includes\purchaselogs.class.php
 
3.4 SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function:  get_results( $sql )
Variable: $_GET['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 543 wp-e-commerce\wpsc-includes\purchaselogs.class.php
 
3.5 SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function:  get_results( $sql )
Variable: $_GET['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 534 wp-e-commerce\wpsc-includes\purchaselogs.class.php
 
3.6 SQL injection
File: wp-e-commerce\wpsc-includes\purchaselogs.class.php
Function:  get_results( $sql )
Variable: $_POST['view_purchlogs_by_status']
Called from (function line file):
get_purchlogs() 689 wp-e-commerce\wpsc-core\wpsc-deprecated.php
 
3.7 Cross-Site Scripting
File: wp-e-commerce\wpsc-admin\includes\purchase-log-list-ta
ble-class.php
Function: echo ('<input type="hidden" name="m" value="' . $m . '" />')
Variable: $_REQUEST['m']
 
 
4. Solution
===========
Vendor resolved security issues in latest WP e-Commerce release. All
users are strongly advised to update WP e-Commerce plugin to the latest
available version 3.8.9.1.
 
# 1337day.com [2012-11-19]

Bài viết liên quan