[wp-trac] [WordPress Trac] #42493: CGI Generic SQL Injection (blind)

WordPress Trac noreply at wordpress.org
Thu Nov 9 19:47:07 UTC 2017 

#42493: CGI Generic SQL Injection (blind)
--------------------------+-----------------------------
 Reporter:  gediweb       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:  4.8.3
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 We have Sitelock scanning our website and this is the first time they have
 given us a warning. I know it says "potentially" but how do I get them to
 stop giving us this warning? And how do I harden the files so that it does
 not get attacked?

 Here is what I got from them.

 '''Synopsis:''' A CGI application hosted on the remote web server is
 potentially prone to SQL injection attack.

 '''Description:''' By sending specially crafted parameters to one or more
 CGI scripts hosted on the remote web server, SiteLock was able to get a
 very different response, which suggests that it may have been able to
 modify the behavior of the application and directly access the underlying
 database.

 An attacker may be able to exploit this issue to bypass authentication,
 read confidential data, modify the remote database, or even take control
 of the remote operating system.

 Note that this script is experimental and may be prone to false positives.

 '''Solution:''' Modify the affected CGI scripts so that they properly
 escape arguments.

 '''Technical Details:'''

 {{{
 Using the GET HTTP method, SiteLock found that :

 + The following resources may be vulnerable to blind SQL injection :

 + The 'load%5B%5D' parameter of the /wp-admin/load-styles.php CGI :

 /wp-admin/load-styles.php?c=1&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%2cb
 uttons%2cforms%2cl10n%2cloginzz1&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%
 2cbuttons%2cforms%2cl10n%2cloginyy

 -------- output --------
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
 .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box;-moz-
 box-sizing:border-box}.meta-box-sortables select,p.submit{max-width:100%
 }#your-profile label+a,.wp-admin select,fieldset label,label{vertical-al
 ign:middle}#pressthis-code-wrap,textarea{overflow:auto}.login h1 a [...]


 -------- vs --------
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
 .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
 ------------------------

 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42493>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list