Multiple vulnerabilities in InfiniteWP Admin Panel

[Walter Hop <security () spam lifeforms nl>]

Multiple vulnerabilities in InfiniteWP Admin Panel
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/

-----

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control 
panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote 
attacker.

These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL 
injection, allow cracking of InfiniteWP admin passwords, and in some cases allow PHP code injection.

It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin Panel 2.4.4, and apply the recommendations 
at the end of this post.

-----

Issue 1: login.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.2

User-controlled parameter email appears in a SQL query modified by function filterParameters() which ostensibly 
"filters" its arguments, but escaping is not being performed, because the parameter $DBEscapeString is set to false by 
default. This allows for SQL injection.

-----

Issue 2: execute.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

User-controlled parameter historyID appears without quotes in a SQL query. Additionally, user-controlled parameters 
historyID and actionID should be escaped by function filterParameters(), but escaping is not being performed, because 
$DBEscapeString is set to false by default. This allows for SQL injection.

-----

Issue 3: uploadScript.php unrestricted file upload vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Unauthenticated users can upload various file types to the uploads directory, including .php files, if query parameter 
allWPFiles is set. File names however are suffixed with the .swp extension when written to the file system.

If the following two conditions hold, this leads to PHP injection:

1. The uploads directory must be writable by the webserver.
2. The webserver must interpret *.php.swp files as PHP code, which happens when Apache is used with configuration 
'AddHandler application/x-httpd-php .php' or 'AddType application/x-httpd-php .php' (This is discouraged by PHP, but 
older distributions and some shared hosts use it)

-----

Issue 4: Insecure password storage
Vulnerable: All versions including current (2.4.4)

Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These passwords can easily be cracked.

Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates 
are applied.

-----

Recommendations

We recommend that users of InfiniteWP take the following actions:

1. Upgrade InfiniteWP Admin Panel to version 2.4.4.
2. Check the uploads directory for the presence of any unauthorized file uploads.
3. Change admin passwords for the InfiniteWP Admin Panel and any Wordpress sites in the panel. Use long and unique 
passwords.
4. Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
5. Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to 
the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the 
panel with a web application firewall (WAF) such as ModSecurity.

-----

Timeline

- 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
- 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
- 4 Dec: Incomplete fix reported to InfiniteWP
- 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
- 10 Dec: Vulnerabilities published

-----

Credits

The vulnerabilities were found by Walter Hop, Slik BV (http://www.slik.eu/), The Netherlands.

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/