This is a Call Out to Those ‘Programmers’
February 24th, 2007 by John Hok
Often times we take for granted the things programmers make. We go freely to install plugins and content management systems with little regard towards how they were build and the knowledge of the programmer who built them. I have to admit that I am guilty of this as well. The dangers of this are evident when you take into account how many of these plugin programmers actually know (or don’t) about basic security when working with databases.
I feel compelled to call out all those programmers out there who freely distribute code with little regards to the security of those who may be using their code. There are just too many amateur programmers out there who don’t know the basics about security and properly filtering user input. You’re putting the people who use your code at risk and depending on your carelessness or lack of knowledge it can prove costly for them. Research what you’re doing a little for the sake of everyone. I’m not here to bash all programmers but those who are careless in what they do. I applaud those who want to help others by creating these plugins but please take into regard what you’re doing and the security implications it may have for the end-user.
Comment Karma was a recent plugin that I came across while browsing John Chow’s blog. I went to download the plugin to see how it worked and I quickly saw the total disregard for basic security. The plugin passes a typical input for each ‘karma’ rating from the following javascript lines:
javascript:karma(‘10314′, ’subtract’, ‘www.cyber-knowledge.net/blog/wp-content/plugins/ck-karma/’, ‘wp_’)
So right away I know that the table prefix for this user’s WordPress installation is “wp_”. That is nothing big but unnecessary information nonetheless. Now the big chink in the armour is how this data is processed. It is passed along to a file called ck-processkarma.php. This is an excerpt from the file:
$k_id = $_GET[‘id’];
$k_action = $_GET[‘action’];
$k_path = $_GET[‘path’];
$k_prefix = $_GET[‘prefix’];
$table_name = ‘wp_ck_karma’;
if($k_id && $k_action && $k_path && $k_prefix){
//Check to see if the comment id exists and grab the rating
$table_name = $k_prefix . ‘ck_karma’;
$query = "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id";
Instantly I see:
$k_id = $_GET[‘id’];
The user input is directly passed into a variable without even being touched or filtered! It remains unfiltered right into the mySQL query. I’m not saying I’m a pro programmer at the age of 17 but come on. This is basic mySQL injection we’re talking about here! Let me modify the javascript input to show how this is dangerous:
javascript:karma(‘10314 OR 1=1′, ’subtract’, ‘www.cyber-knowledge.net/blog/wp-content/plugins/ck-karma/’, ‘wp_’)
So now when the javascript is processed the mySQL SELECT query will now look like this:
$query = "SELECT * FROM wp_ck_karma WHERE ck_comment_id = 10314 OR 1=1";
Of course 1 always equals 1 (or at least in my world). Then finally when the actually UPDATE query is initiated:
$query = "UPDATE wp_ck_karma SET ck_rating = ‘-1′, ck_ips = ‘xxx’ WHERE ck_comment_id = 10314 OR 1=1";
This will finally update all karma ratings that have been made to be -1 (bad karma) because the WHERE clause will always be true for anything in the database.
The security risk that I’ve shown in this example is only a mild one. With a bit of modifying it will be easy to exploit this query so that it can DROP any mySQL tables that the WordPress user has. So this is why I’m calling out these ‘programmers’. People are using these things without even knowing the security implication that these scripts hold. These plugins are being installed on popular blogs and you’re putting these people at risk so for the sake of those who use your scripts please, please take some mySQL Injection 101 courses at your local community college or visit your best friend.
*Update: This has now been fixed by the plugin author.
Related posts
Stumble it! • Save to del.icio.us • Submit to DiggPosted in Archive | 
7 Comments
Thank you for pointing out this vulnerability, it’s fixed now.
No problem Bawked. Glad you got it patched up!
Wow looks like some great work man, Nice blog also!
@Matt: Thanks for your comments.
You have a bright future in computer programming John. Keep it up!
@XtremegenX: Thanks for your kind words!
That was gud info….
btwn..Nice blog…sure to come back again..