Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#42493 closed defect (bug) (invalid)

CGI Generic SQL Injection (blind)

Reported by: gediweb's profile gediweb Owned by:
Milestone: Priority: normal
Severity: major Version: 4.8.3
Component: Security Keywords:
Focuses: Cc:

Description

We have Sitelock scanning our website and this is the first time they have given us a warning. I know it says "potentially" but how do I get them to stop giving us this warning? And how do I harden the files so that it does not get attacked?

Here is what I got from them.

Synopsis: A CGI application hosted on the remote web server is potentially prone to SQL injection attack.

Description: By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, SiteLock was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database.

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

Note that this script is experimental and may be prone to false positives.

Solution: Modify the affected CGI scripts so that they properly escape arguments.

Technical Details:

Using the GET HTTP method, SiteLock found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'load%5B%5D' parameter of the /wp-admin/load-styles.php CGI :

/wp-admin/load-styles.php?c=1&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%2cb
uttons%2cforms%2cl10n%2cloginzz1&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%
2cbuttons%2cforms%2cl10n%2cloginyy

-------- output --------
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
.locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box;-moz-
box-sizing:border-box}.meta-box-sortables select,p.submit{max-width:100%
}#your-profile label+a,.wp-admin select,fieldset label,label{vertical-al
ign:middle}#pressthis-code-wrap,textarea{overflow:auto}.login h1 a [...]


-------- vs --------
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
.locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
------------------------

Change History (5)

#1 @voldemortensen
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.8.3 deleted

Hey there @gediweb,

I recommend contacting SiteLock about this issue. Their contact information can be found here: https://www.sitelock.com/
Trac isn't really a place for support, especially in regards to 3rd party systems.

This looks like its likely a false positive, but have them check anyway. If it is indeed a security issue, please have them report it responsibly here: https://hackerone.com/wordpress.

Last edited 7 years ago by voldemortensen (previous) (diff)

#2 @gediweb
7 years ago

  • Resolution invalid deleted
  • Severity changed from normal to major
  • Status changed from closed to reopened
  • Version set to 4.8.3

#3 @gediweb
7 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

#4 @johnbillion
7 years ago

  • Resolution changed from wontfix to invalid

Genuine question: Did you miss the two warnings about not reporting security vulnerabilities in this issue tracker? They are hard to miss. In the future, please report anything related to security to the WordPress program on HackerOne.

https://i.imgur.com/ZlTUg1s.png

https://i.imgur.com/y5jhcC0.png

#5 @Clorith
7 years ago

#42539 was marked as a duplicate.

Note: See TracTickets for help on using tickets.