On May 10th 2016, All In One WP Security & Firewall patched some SQL injection detected by our team. Those flaws allow any visitor to alter DB queries. This represent a high security risk.
WordPress has many APIs including the database one. This API contain many wrappers, we’re talking about functions that use the API seamlessly.
$wpdb object is used to play with the database to do selections, insertions or deletion (crud).
Like any development, we have to ask us this question: “do I have to secure this line of code”.
Sometimes some code will call a function that will also call another function, this last one is hiding the source of the data to treat, here comes the flaws.
Any data coming from the user (including the browser) MUST be treated as a malicious one.
The vulnerabilities are presents in versions less than 4.0.9 and came from the lack of treatment of data from the users.
The DREAD score is 5/5 HIGH RISK. The update is mandatory.
These flaws are allowing to any visitors to modify some SQL queries with only a parameter in the URL.
Read the following if you want to know where was the flaw and how to exploit it.
In the file
/classes/wp-security-general-init-tasks.php we can find on the
init hook this code :
We can find a call to the method
process_unlock_request() from the class
AIOWPSecurity_User_Login. It takes a parameter which come from
$_GET['aiowps_auth_key'] with a simple
Now let see this method, what does it do with our parameter:
$unlock_key is directly concatenated into a query une requête without any treatment, only the last
But this is not enough to avoid SQL Injections. To do that you have to “prepare” the query like this:
The AIOWPS team patched the issue quickly, keep up to date!