Marc Montpas posted: " During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site's database. If exploit" Jetpack
During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site's database.
If exploited, the vulnerability could grant attackers access to privileged information from affected sites' databases (e.g., usernames and hashed passwords).
We reported the vulnerabilities to the plugin's authors, and they recently released Slimstat Analytics version 4.9.3.3 and Paid Memberships Pro version 2.9.12 to address them. We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security.
The slimstat shortcode allows users to add some filtering logic in the form of SQL WHERE statements by looking for a "WHERE:" token inside the shortcode's content. This functionality is a problem since, as we've reported in another vulnerability advisory before, any users logged onto a site, like subscribers, can render shortcodes in WordPress.
if($hasaccess && !empty($delay)) { //okay, this post requires membership. start by getting the user's startdate if(!empty($levels)) $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND membership_id IN(" . implode(",", array_map( 'esc_sql', $levels ) ) . ") AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1"; else $sqlQuery = "SELECT UNIX_TIMESTAMP(CONVERT_TZ(startdate, '+00:00', @@global.time_zone)) FROM $wpdb->pmpro_memberships_users WHERE status = 'active' AND user_id = '" . esc_sql( $current_user->ID ) . "' ORDER BY id LIMIT 1";
While, at first sight, it may look like the `membership` shortcode properly escapes the $levels variable before concatenating it to an SQL query, the content it adds is not inserted in the context of a string. This effectively means an attacker can abuse that feature to inject SQL statements, so long as they don't contain any quotes.
Since shortcodes can be rendered by any logged-in users, like subscribers, this enables low-privileged attackers to leak sensitive information from the database, like usernames and hashed passwords.
We recommend that you check which version of the plugins your site is using, and if they are within the affected ranges, update them as soon as possible!
At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.
Credits
Original researcher: Marc Montpas
Thanks to the rest of the WPScan team for feedback, help, and corrections.
Get the Jetpack app to use Reader anywhere, anytime
Follow your favorite sites, save posts to read later, and get real-time notifications for likes and comments.
Learn how to build your website with our video tutorials on YouTube.
Automattic, Inc. - 60 29th St. #343, San Francisco, CA 94110
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.