WordPress Zingiri Shop SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49398

Analysis of  vulnerability

This vulnerability relies on a lack of validation in the Zingiri Web Shops IsAdmin function in /fws/includes/subs.inc.php from the fws_cust cookies. The method tries to determine if the user is an admin like this:

It splits(Explode!!) the fws_cust cookie by the # character, extracts a md5′ed password and an userID, and then fetches the corresponding user in the database. Notice however on line 232 and 235 that it does not sanitize the input, leading to a SQL injection. We can abuse this to forge a cookie which gives us admin rights using this simple python script:

Numerous other vulnerabilities were fixed that used same attack vector, as a result of copy paste. These can be found by here quite easily, and exploited the same way.

Leave a Reply