Serious security vulnerability

  • novaphoenix

    (@novaphoenix)


    10 years, 2 months ago

    The following is a summary of a security vulnerability affecting version 3.5 of the plugin. Notification of the vulnerability was provided to the plugin owner on 2016-03-14 and no update has yet been provided, so I provide this for public reference, with a suggested correction for users of this plugin:

    Type of security vulnerability:
    SQL Injection affecting core WordPress database.

    Scope of vulnerability:
    Possible access and destruction of entire WordPress database, including all data.

    Likelihood of discovery:
    Very High (easy to determine if plugin in use, very easy to trigger)

    Description of Issue:
    seo-redirection.php (line 441-442) creates 2 variables $permalink_options and $permalink_regex_options using a partial SQL query. This query does not follow wordpress (https://codex.ww.wp.xz.cn/Data_Validation#Database) or industry suggested security practices and injects untrusted URL parameters directly into a query. This allows an attacker to easily modify a URL with a single quote and inject dangerous code into the ‘s’ parameter of a search query string.

    This is detectable in the website error logs by an error such as the following:
    ***
    WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘t rain on my parade’ or redirect_from=’/?s=Don’t rain on my parade/’ )’ at line 1 for query select * from wp_WP_SEO_Redirection where enabled=1 and regex=” and (redirect_from=’/?s=Don’t rain on my parade’ or redirect_from=’/?s=Don’t rain on my parade/’ ) made by require(‘wp-blog-header.php’), wp, WP->main, do_action_ref_array, WPSR_redirect
    ***

    Suggested correction:
    Follow the WordPress data validation and database guidelines and make use of $wpdb->prepare() to sanitise untrusted input.

    e.g.
    $permalink_options = $wpdb->prepare(“(redirect_from=%s or redirect_from=%s )”, $permalink, $permalink_alternative);
    $permalink_regex_options = $wpdb->prepare(“(%s regexp regex or %s regexp regex )”, $permalink, $permalink_alternative);

The topic ‘Serious security vulnerability’ is closed to new replies.