[wp-trac] [WordPress Trac] #42539: PCI Scan - "CGI Generic SQL Injection (blind)"

WordPress Trac noreply at wordpress.org
Tue Nov 14 13:34:17 UTC 2017


#42539: PCI Scan - "CGI Generic SQL Injection (blind)"
-----------------------------+-----------------------------
 Reporter:  sureshnatarajan  |       Owner:
     Type:  defect (bug)     |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Security         |     Version:  4.8
 Severity:  normal           |  Resolution:  duplicate
 Keywords:                   |     Focuses:  administration
-----------------------------+-----------------------------
Changes (by SergeyBiryukov):

 * component:  Administration => Security


Old description:

> I have installed latest wordpress (4.8) on the LAMP stack on AWS EC2
> webserver instance. This is a standard install and we haven't deployed
> our website on the wordpress yet. When we run a PCI scan on the server,
> scan fails with below
> vulnerability. We are using HackerGuardian Approved Scanning Vendor. We
> need to fix the issue in order to obtain the PCI compliance. Wordpress
> should fix the vulnerability. Please let us know how to fix the issue
> until wordpress provides the fix.
>
> >>>>
>  Status
>
> Automatic Failure as listed by the PCI SSC (This must be resolved for
> your device
> Target name:52.87.142.241
>
>     Plugin
>
>  "CGI Generic SQL Injection (blind)"
>

>     Category
>
>  "CGI abuses "
>

>     Priority
>
>  "Urgent
>
>     Synopsis
>

>    A CGI application hosted on the remote web server is potentially prone
> to SQL injection attack.
>

>     Description
>     By sending specially crafted parameters to one or more CGI scripts
> hosted on the remote web server, Nessus was able to get a very different
> response, which suggests that it may have been able to modify the
> behavior of the application and directly access the underlying database.
>
> An attacker may be able to exploit this issue to bypass authentication,
> read confidential data, modify the remote database, or even take control
> of the remote operating system.
>
> Note that this script is experimental and may be prone to false
> positives.
>

>

>
> See also:
>
> http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>

> http://www.nessus.org/u?ed792cf5
>

> http://projects.webappsec.org/SQL-Injection
>

>

>     Risk factor
>    HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
>

>

>
> Plugin
> output
>

> Using the GET HTTP method, Nessus found that :
>
> + The following resources may be vulnerable to blind SQL injection :
>
> + The 'load%5B%5D' parameter of the /wp-admin/load-styles.php CGI :
>
> /wp-admin/load-styles.php?c=0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%2cb
>
> uttons%2cforms%2cl10n%2cloginzz0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%
> 2
> cbuttons%2cforms%2cl10n%2cloginyy
>
> -------- output --------
> #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
> .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
> #pass-strength-result,input,textarea{-webkit-box-sizing:border-box;-m
> oz-
> box-sizing:border-box}.meta-box-sortables select,p.submit{max-width:100%
> }#your-profile label+a,.wp-admin select,fieldset label,label{vertical-al
> ign:middle}#pressthis-code-wrap,textarea{overflow:a
> uto}.login h1 a [...]
>

> -------- vs --------
> #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
> .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
> ------------------------
>

>

> Solution
>
>    Modify the affected CGI scripts so that they properly escape
> arguments.

New description:

 I have installed latest wordpress (4.8) on the LAMP stack on AWS EC2
 webserver instance. This is a standard install and we haven't deployed our
 website on the wordpress yet. When we run a PCI scan on the server, scan
 fails with below
 vulnerability. We are using HackerGuardian Approved Scanning Vendor. We
 need to fix the issue in order to obtain the PCI compliance. Wordpress
 should fix the vulnerability. Please let us know how to fix the issue
 until wordpress provides the fix.

 {{{
  Status

 Automatic Failure as listed by the PCI SSC (This must be resolved for your
 device
 Target name:52.87.142.241

     Plugin

  "CGI Generic SQL Injection (blind)"


     Category

  "CGI abuses "


     Priority

  "Urgent

     Synopsis


    A CGI application hosted on the remote web server is potentially prone
 to SQL injection attack.


     Description
     By sending specially crafted parameters to one or more CGI scripts
 hosted on the remote web server, Nessus was able to get a very different
 response, which suggests that it may have been able to modify the behavior
 of the application and directly access the underlying database.

 An attacker may be able to exploit this issue to bypass authentication,
 read confidential data, modify the remote database, or even take control
 of the remote operating system.

 Note that this script is experimental and may be prone to false positives.





 See also:

 http://www.securiteam.com/securityreviews/5DP0N1P76E.html


 http://www.nessus.org/u?ed792cf5


 http://projects.webappsec.org/SQL-Injection




     Risk factor
    HIGH / CVSS BASE SCORE :7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P





 Plugin
 output


 Using the GET HTTP method, Nessus found that :

 + The following resources may be vulnerable to blind SQL injection :

 + The 'load%5B%5D' parameter of the /wp-admin/load-styles.php CGI :

 /wp-admin/load-styles.php?c=0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%2cb

 uttons%2cforms%2cl10n%2cloginzz0&ver=4.8.3&dir=ltr&load%5B%5D=dashicons%
 2
 cbuttons%2cforms%2cl10n%2cloginyy

 -------- output --------
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
 .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box;-m
 oz-
 box-sizing:border-box}.meta-box-sortables select,p.submit{max-width:100%
 }#your-profile label+a,.wp-admin select,fieldset label,label{vertical-al
 ign:middle}#pressthis-code-wrap,textarea{overflow:a
 uto}.login h1 a [...]


 -------- vs --------
 #pass-strength-result,input,textarea{-webkit-box-sizing:border-box [...]
 .locale-he-il em,.locale-zh-cn #local-time,.locale-zh-cn #utc-time [...]
 ------------------------




 Solution

    Modify the affected CGI scripts so that they properly escape arguments.
 }}}

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42539#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list