WordPress Flaws and Vulnerabilities

All In One WP Security & Firewall 4.0.9 Security Patch

Blog WordPress Flaws and Vulnerabilities All In One WP Security & Firewall 4.0.9 Security Patch
0 comments

On May 10th 2016, All In One WP Security & Firewall patched some SQL injection detected by our team. Those flaws allow any visitor to alter DB queries. This represent a high security risk.

Some explanations

WordPress has many APIs including the database one. This API contain many wrappers, we’re talking about functions that use the API seamlessly.

The $wpdb object is used to play with the database to do selections, insertions or deletion (crud).

Like any development, we have to ask us this question: “do I have to secure this line of code”.

Sometimes some code will call a function that will also call another function, this last one is hiding the source of the data to treat, here comes the flaws.

Any data coming from the user (including the browser) MUST be treated as a malicious one.

The vulnerabilities

The vulnerabilities are presents in versions less than 4.0.9 and came from the lack of treatment of data from the users.

The DREAD score is 5/5 HIGH RISK. The update is mandatory.

These flaws are allowing to any visitors to modify some SQL queries with only a parameter in the URL.

Read the following if you want to know where was the flaw and how to exploit it.

In the file /classes/wp-security-general-init-tasks.php we can find on the init hook this code :

[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”if(isset(%24_GET%5B’aiowps_auth_key’%5D))%7B%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%2F%2FIf%20URL%20contains%20unlock%20key%20in%20query%20param%20then%20process%20the%20request%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20%24unlock_key%20%3D%20strip_tags(%24_GET%5B’aiowps_auth_key’%5D)%3B%0A%0A%20%20%20%20%20%20%20%20%20%20%20%20AIOWPSecurity_User_Login%3A%3Aprocess_unlock_request(%24unlock_key)%3B%0A%0A%20%20%20%20%20%20%20%20%7D”/]

We can find a call to the method process_unlock_request() from the class AIOWPSecurity_User_Login. It takes a parameter which come from $_GET['aiowps_auth_key'] with a simple strip_tags().

Now let see this method, what does it do with our parameter:

[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”static%20function%20process_unlock_request(%24unlock_key)%0A%0A%20%20%20%20%7B%0A%0A%20%20%20%20%20%20%20%20global%20%24wpdb%2C%20%24aio_wp_security%3B%0A%0A%20%20%20%20%20%20%20%20%24lockdown_table_name%20%3D%20AIOWPSEC_TBL_LOGIN_LOCKDOWN%3B%0A%0A%20%20%20%20%20%20%20%20%0A%0A%20%20%20%20%20%20%20%20%24unlock_command%20%3D%20%22UPDATE%20%22.%24lockdown_table_name.%22%20SET%20release_date%20%3D%20now()%20WHERE%20unlock_key%20%3D%20’%22.%24unlock_key.%22’%22%3B%0A%0A%20%20%20%20%20%20%20%20%24result%20%3D%20%24wpdb-%3Equery(%24unlock_command)%3B%0A%0A…”/]

the parameter $unlock_key is directly concatenated into a query une requête without any treatment, only the last strip_tags().

But this is not enough to avoid SQL Injections. To do that you have to “prepare” the query like this:

[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”%24unlock_command%20%3D%20%24wpdb-%3Eprepare(%20%22UPDATE%20%22.%24lockdown_table_name.%22%20SET%20release_date%20%3D%20now()%20WHERE%20unlock_key%20%3D%20%25s%22%2C%20%24unlock_key%20)%3B”/]

The AIOWPS team patched the issue quickly, keep up to date!

0 comments