A SQL injection (SQLi) vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier versions allows remote attackers to execute arbitrary SQL commands via the s parameter.
- The attacker sends a series of requests to the web application running the vulnerable MySQL server that are exploitable to SQLi.
- The malicious SQLi is inserted into a query and run against the database.
- The vulnerable web application returns a password hash or other information to the attacker.
To create a successful exploit, the following prerequisites are required.
- The attacker can gain request access to a vulnerable WordPress installation.
- A vulnerable character set, such as GBK or Big5, must be set in wp-config.php for connections to the database.
The search function provided within WordPress fails to sanitize input based on different character sets. If WordPress users try to query a MySQL database using certain specific character sets, the WordPress search function is exploitable using charset-based SQL injection.
The character sets found to be exploitable include Big5 and GBK. They can use the backslash ('\') as part of a multibyte character. The WordPress with MySQL database using any other character may also be vulnerable. The vulnerable character sets look to be limited to character sets utilized for Chinese character encoding.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Detection of this threat is provided via Alert Logic ActiveWatch™ for the Web Security Manager™ service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.
Recommendations for Mitigation
Upon discovery of an exploit attempt, customers are advised to perform the following actions:
- Determine the version of WordPress that is running. Additionally, Alert Logic® Log Manager™ and Threat Manager logs should be reviewed to determine the successfulness of the attack. If it has been concluded that the attack has been successful, the host should be taken offline.
- Remediate the vulnerability using one of three methods. The first and best method will be to upgrade the vulnerable version of WordPress to the latest supported version. The second method consists of changing the supported database to a non-vulnerable character set. This may involve developers and database administrators to ensure that the new character set is compatible with the old one and no data corruption occurs. The third method calls for the disabling of the search feature for WordPress.
- Change all user credentials before the host is placed back online.