Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#42539 closed defect (bug) (duplicate)

PCI Scan - "CGI Generic SQL Injection (blind)"

Reported by: sureshnatarajan's profile sureshnatarajan Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.8
Component: Security Keywords:
Focuses: administration Cc:

Description (last modified by SergeyBiryukov)

I have installed latest wordpress (4.8) on the LAMP stack on AWS EC2 webserver instance. This is a standard install and we haven't deployed our website on the wordpress yet. When we run a PCI scan on the server, scan fails with below
vulnerability. We are using HackerGuardian Approved Scanning Vendor. We need to fix the issue in order to obtain the PCI compliance. Wordpress should fix the vulnerability. Please let us know how to fix the issue until wordpress provides the fix.

 Status
	
Automatic Failure as listed by the PCI SSC (This must be resolved for your device
Target name:52.87.142.241

    Plugin
	
 "CGI Generic SQL Injection (blind)"


    Category
	
 "CGI abuses "

	
    Priority
	
 "Urgent

    Synopsis

	
   A CGI application hosted on the remote web server is potentially prone to SQL injection attack.


    Description
    By sending specially crafted parameters to one or more CGI scripts hosted on the remote web server, Nessus was able to get a very different response, which suggests that it may have been able to modify the behavior of the application and directly access the underlying database. 

An attacker may be able to exploit this issue to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system. 

Note that this script is experimental and may be prone to false positives.

	


	
See also:
	
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

	
http://www.nessus.org/u?ed792cf5

	
http://projects.webappsec.org/SQL-Injection

	


    Risk factor
   HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

	


	
Plugin
output
	
    
Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'load%5B%5D' parameter of the /wp-admin/load-styles.php CGI :

/wp-admin/load-styles.php?c=0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%2cb

uttons%2cforms%2cl10n%2cloginzz0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%
2
cbuttons%2cforms%2cl10n%2cloginyy

-------- output --------
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
.locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box;-m
oz-
box-sizing:border-box}.meta-box-sortables select,p.submit{max-width:100%
}#your-profile label+a,.wp-admin select,fieldset label,label{vertical-al
ign:middle}#pressthis-code-wrap,textarea{overflow:a
uto}.login h1 a [...]


-------- vs --------
#pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
.locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
------------------------


	
	
Solution
	
   Modify the affected CGI scripts so that they properly escape arguments.

Change History (2)

#1 @Clorith
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, and welcome to Trac.

First off, security-related incidents should never be posted on a public issue tracker, when you make a ticket here, you are both shown an informative window about this, and you must click a box stating you are not posting about a security related issue.

Security concerns should be directed at our security team at https://hackerone.com/wordpress.

As for the issue, it sounds like a false positive (see #42493 from 5 days ago), should you have further concerns, please use the HackerOne link above as this is not the place for such discussions.

#2 @SergeyBiryukov
6 years ago

  • Component changed from Administration to Security
  • Description modified (diff)
Note: See TracTickets for help on using tickets.