The WordPress Shopping Cart plugin v8.1.14 contains a number of SQL injection vulnerabilities related to the user-controlled parameter ‘reqID’. The SQL vulnerabilities exist because invalidated and unsanitized user input is concatenated into query strings.
Exploitation
Stages
- The unauthenticated user makes a file upload POST request to ‘/levelfourstorefront/scripts/administration/dpuploaderscript.php’ containing a malicious file and a crafted SQL injection.
- The server processes the request and uses the ‘reqID’ value to look up ‘UserLevel’ entries with ‘admin’ privileges. The SQL injection ensures that this query is successful despite not entering a valid ‘reqID’ value. The server proceeds to write the uploaded file to the server, believing the request was sent by an ‘admin’ level user.
- The server responds to the request with a ’200’ response code.
- The attacker requests the uploaded file which will be located in ‘/levelfourstorefront/products/’ or ‘/levelfourstorefront/products/downloads/’, executing malicious code such as a web shell.
Prerequisites
The attacker must have WordPress Shopping Cart v8.1.14 installed.
Vulnerability Description
The ‘dbuploadscript.php’ and ‘productuploaderscript.php’ scripts use a SQL query to validate that the user submitting the file upload request belongs to the ‘admin’ user level group. Through the use of a crafted SQL injection, via the required ‘reqID’ parameter, this check can be bypassed allowing an unauthenticated attacker to upload arbitrary files to the server.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Detection of this threat is provided via Alert Logic ActiveWatch for Web Security Manager service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.