When it comes to the many problems with the security industry, one of them that we see very often due to our work for this service is overstating the impact of vulnerabilities and claiming that issues that are probably not vulnerabilities are in fact ones.
The latest example of this we have come across is from DefenseCode, a company whose advisories we warned to be wary of last week. Earlier this week they put out a report (PDF) of claimed SQL injection vulnerability in the plugin Photo Gallery. The problems with it is that they are claiming an issue that we wouldn’t consider to be a vulnerability as being one, along with it looking like they overstated the potential impact, if it truly was one.
What makes us consider this to not be a vulnerability is the fact that is only accessible by Administrators, something they acknowledge in a way that seems misleading:
During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by previously visiting the settings page.
What seems like it should be fairly obvious is that Administrators being able to do something isn’t usually a vulnerability. Normally Administrators would have the ability edit existing plugins and remove security checks or add new plugins that accomplish the same thing as the vulnerability.
So what other users would be “authorized to access the plugin settings page”? Normally none as the setting’s page and the AJAX function that are utilized to exploit this are only accessible to users with the ability to “manage_options“, which is only given to Administrators by default.
If you give a lower level user the “manage_options” capability two of the things they can do is to change whether user registration is enabled and what role that new users would have, so they would have the ability to create new Administrator users at that point and therefore you are effectively making them Administrators by giving them that capability.
That makes the next part of the claim somewhat moot as all the users who have access would effectively have full administrative privileges:
Users that to do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to.
There is actually another problem with that beyond that user already being privileged because as far as we can tell the SQL injection vulnerability in this case couldn’t be used by the user to “escalate their privileges” or “modify database contents”. Looking at the relevant SQL query it looks to us that it could only be used to read data out of the database (the value $album_id is what is specified by the user):
$query = "SELECT id FROM " . $wpdb->prefix . "bwg_album WHERE published=1 AND id<>" . $album_id . " " . $where . " UNION ALL SELECT id FROM " . $wpdb->prefix . "bwg_gallery WHERE published=1 " . $where;
Maybe we are missing something here, but it seems that security companies often don’t understand that not all SQL injections have the same impact, so they repeat claims of what one could do without understanding if the one they found could do also be used to do that.