lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <9E1B068B-0D7F-4551-81D4-74B4285C5EC3@spam.lifeforms.nl>
Date: Wed, 10 Dec 2014 00:18:40 +0100
From: Walter Hop <security@...m.lifeforms.nl>
To: fulldisclosure@...lists.org,
 bugtraq@...urityfocus.com
Subject: [FD] Multiple vulnerabilities in InfiniteWP Admin Panel

Multiple vulnerabilities in InfiniteWP Admin Panel
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/

-----

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker.

These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin passwords, and in some cases allow PHP code injection.

It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin Panel 2.4.4, and apply the recommendations at the end of this post.

-----

Issue 1: login.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.2

User-controlled parameter email appears in a SQL query modified by function filterParameters() which ostensibly "filters" its arguments, but escaping is not being performed, because the parameter $DBEscapeString is set to false by default. This allows for SQL injection.

-----

Issue 2: execute.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

User-controlled parameter historyID appears without quotes in a SQL query. Additionally, user-controlled parameters historyID and actionID should be escaped by function filterParameters(), but escaping is not being performed, because $DBEscapeString is set to false by default. This allows for SQL injection.

-----

Issue 3: uploadScript.php unrestricted file upload vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Unauthenticated users can upload various file types to the uploads directory, including .php files, if query parameter allWPFiles is set. File names however are suffixed with the .swp extension when written to the file system.

If the following two conditions hold, this leads to PHP injection:

1. The uploads directory must be writable by the webserver.
2. The webserver must interpret *.php.swp files as PHP code, which happens when Apache is used with configuration 'AddHandler application/x-httpd-php .php' or 'AddType application/x-httpd-php .php' (This is discouraged by PHP, but older distributions and some shared hosts use it)

-----

Issue 4: Insecure password storage
Vulnerable: All versions including current (2.4.4)

Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These passwords can easily be cracked.

Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied.

-----

Recommendations

We recommend that users of InfiniteWP take the following actions:

1. Upgrade InfiniteWP Admin Panel to version 2.4.4.
2. Check the uploads directory for the presence of any unauthorized file uploads.
3. Change admin passwords for the InfiniteWP Admin Panel and any Wordpress sites in the panel. Use long and unique passwords.
4. Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
5. Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.

-----

Timeline

- 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
- 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
- 4 Dec: Incomplete fix reported to InfiniteWP
- 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
- 10 Dec: Vulnerabilities published

-----

Credits

The vulnerabilities were found by Walter Hop, Slik BV (http://www.slik.eu/), The Netherlands.

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ