David Kierznowski of BlogSecurity has found a critical vulnerability in the popular TextLinkAds plugin for WordPress. The vulnerability allows an unauthenticated, remote attacker to completely compromise your database and therefore your blog.
This is a serious security risk, and should take higher priority then what it has. I have shared various emails with TextLinkAds (starting 31 Dec 2007), but no fix has been made available to date - as far as I am aware. It was trivial to find and there are most likely others… I am releasing this now as attackers may already be exploiting it and I am reluctant to leave it longer.
The vulnerability was tested on version 1.1.1 and the latest version 1.1.3, both were found vulnerable. Please note I have verified that this vulnerability affects v3.0.8.. Please note, all plugins are likely affected before (15/Jan/08). DO NOT rely on the version numbers.
Proof of concept:Removed for security reasons.
Fix information:
The vulnerable code is found on line 512:
$postId = $postId;
This variable is passed to $wpdb->get_results without being sanitised.
to fix this hole, simply change the above line to:
$postId = (int) $postId; /* FIXED */
While browsing through the code, I did notice other SQL Injection problems, but some of these are mitigated by the fact that you need a valid TextLinkAds key to call the function, but a more indepth view may reveal more.
SummaryAlthough I have provided a fix, I would suggest disabling this plugin until a full review of the code has been conducted by TextLinkAds and an appropriate fix released. I am sure this will cause alot of anxiety, especially as a number of larger and smaller blogs earn income via this service.