WordPress Flaws and Vulnerabilities

All In One WP Security & Firewall 4.0.9 Security Patch

Blog WordPress Flaws and Vulnerabilities All In One WP Security & Firewall 4.0.9 Security Patch

May 12, 2016 0 comments

On May 10th 2016, All In One WP Security & Firewall patched some SQL injection detected by our team. Those flaws allow any visitor to alter DB queries. This represent a high security risk.

Some explanations

WordPress has many APIs including the database one. This API contain many wrappers, we’re talking about functions that use the API seamlessly.

The $wpdb object is used to play with the database to do selections, insertions or deletion (crud).

Like any development, we have to ask us this question: “do I have to secure this line of code”.

Sometimes some code will call a function that will also call another function, this last one is hiding the source of the data to treat, here comes the flaws.

Any data coming from the user (including the browser) MUST be treated as a malicious one.

The vulnerabilities

The vulnerabilities are presents in versions less than 4.0.9 and came from the lack of treatment of data from the users.

The DREAD score is 5/5 HIGH RISK. The update is mandatory.

These flaws are allowing to any visitors to modify some SQL queries with only a parameter in the URL.

Read the following if you want to know where was the flaw and how to exploit it.

In the file /classes/wp-security-general-init-tasks.php we can find on the init hook this code :

if(isset($_GET['aiowps_auth_key'])){

            //If URL contains unlock key in query param then process the request

            $unlock_key = strip_tags($_GET['aiowps_auth_key']);

            AIOWPSecurity_User_Login::process_unlock_request($unlock_key);

        }

We can find a call to the method process_unlock_request() from the class AIOWPSecurity_User_Login. It takes a parameter which come from $_GET['aiowps_auth_key'] with a simple strip_tags().

Now let see this method, what does it do with our parameter:

static function process_unlock_request($unlock_key)

    {

        global $wpdb, $aio_wp_security;

        $lockdown_table_name = AIOWPSEC_TBL_LOGIN_LOCKDOWN;

        

        $unlock_command = "UPDATE ".$lockdown_table_name." SET release_date = now() WHERE unlock_key = '".$unlock_key."'";

        $result = $wpdb->query($unlock_command);

...

the parameter $unlock_key is directly concatenated into a query une requête without any treatment, only the last strip_tags().

But this is not enough to avoid SQL Injections. To do that you have to “prepare” the query like this:

$unlock_command = $wpdb->prepare( "UPDATE ".$lockdown_table_name." SET release_date = now() WHERE unlock_key = %s", $unlock_key );

The AIOWPS team patched the issue quickly, keep up to date!

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

Some explanations

The vulnerabilities

This might interest you too

Vulnerabilities Exists in Popular WordPress Plugins Too

WordPress 4.9.6 Vulnerability let authors delete any file, updated video

WordPress 4.8.3 – Security Release