Pods 1.4.7 <= 2.5.1.1 - Blind SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Version/s Tested: 2.5.1.1 and previous

Description:

Pods is a popular custom content types and fields plugin for WordPress. In the PodsUI class, which is used to build Pods administration interfaces, the orderby SQL query is set via a GET variable, which was not properly sanitized.

Technical Description:

At approximately Line 859 of the PodsUI class an orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized. The PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.


Proof of Concept (PoC):

The following GET request will cause the SQL query to execute and sleep for 10 seconds if in any page that uses the PodsUI class:

http://local.dev/wp-admin/admin.php?page=pods-manage-<PODNAME>&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)

Which will generate the following SQL Query:

SELECT DISTINCT `t`.*
    FROM `wp_pods_<PODNAME>` AS `t`
    ORDER BY post_date,(select * from (select(sleep(10)))a), `t`.`name`, `t`.`id`
    LIMIT 0, 25

<PODNAME> must be a valid Advanced Content Type Pod

Impact:

Complete compromise of the WordPress installation by an uny third-party that has access to an interface,  front-end or back-end, created with PodsUI. Access to Pods Admin defaults to admin level user only, but can be changed. Custom interfaces created with PodsUI have access-levels determined on a per interface basis. They are often used to created interfaces with controlled, limited content editing capabilities.

Fix:

A security release 2.5.1.2 made a change as seen in this diff: https://github.com/pods-framework/pods/commit/7eda9c183a97cc6987624f8f05d02854142d493b/?diff=split to correct the problem. All affected branches have been patched on WordPress.org and Github.

Timeline:

March 14th 2015 Issue found via internal review. Release and disclosure delayed due to weekend timing and awaiting response from WordPress.org security team.
March 14th 2015 WordPress.org security team notified, requesting forced update. No response as of March 16th 2015.
March 16th 2015 New version and patches released. 

Credits:
Vulnerability discovered and fixed by Scott Kingsley Clark, Lead Developer of Pods (Pods.io) 

Affects

Plugin pods
fixed in version 2.5.1.2

References

URL http://pods.io/2015/03/16/important-security-disclosure/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Josh Pollock
Submitter Website http://pods.io
Submitter Twitter podsframework
Views 282
Verified No
WPVDB ID 7851

Timeline

Publicly Published 2015-03-16 (over 1 year ago)
Added 2015-03-17 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.