WordPress Zingiri Shop SQL injection vulnerabilities

Advisory
Secunia Advisory SA 49398

Analysis of  vulnerability

This vulnerability relies on a lack of validation in the Zingiri Web Shops IsAdmin function in /fws/includes/subs.inc.php from the fws_cust cookies. The method tries to determine if the user is an admin like this:

It splits(Explode!!) the fws_cust cookie by the # character, extracts a md5′ed password and an userID, and then fetches the corresponding user in the database. Notice however on line 232 and 235 that it does not sanitize the input, leading to a SQL injection. We can abuse this to forge a cookie which gives us admin rights using this simple python script:

Numerous other vulnerabilities were fixed that used same attack vector, as a result of copy paste. These can be found by here quite easily, and exploited the same way.

WordPress Zingiri Shop plugin “abspath” remote file inclusion vulnerability

Advisory
Secunia Advisory SA 49676

Analysis
I had been looking at this particular piece of code for a while. At a glance, while the handling of the looks somewhat safe due to the validation that the input path is in fact a directory, so at best you could sort of chain an exploit with this. The question is, how could you take this to a RFI? Lets look at /fws/download.php:

As you see, this may very well look safe at a glance. For us to be able to exploit the fact that the ‘abspath’ variable is user controlled, we need to get a true back from is_dir. I checked with google how to pull this off when providing a remote host. This isn’t possible with HTTP, and nobody suggested an alternative. For this to work, the protocol wrapper needs to support the “stat()” family of functions. HTTP isn’t one of these. But as it turns out, FTP is. Bingo! We now have a piece of code that through a very specific detail in the PHP implementation, that we can exploit.

By putting up a FTP server with some specified credentials, and a file called wp-blog-header.php with some malicious PHP, we can include an URL in the abspath GET parameter, which will exploit this vulnerability: