InfiniteWP allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites.
The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker.
These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin passwords, and in some cases allow PHP code injection.
It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin Panel 2.4.4, and apply the recommendations at the end of this post.
Issue 1: login.php unauthenticated SQL injection vulnerability
User-controlled parameter email appears in a SQL query modified by function filterParameters() which ostensibly "filters" its arguments, but escaping is not being performed, because the parameter $DBEscapeString is set to false by default. This allows for SQL injection.
Vulnerable: InfiniteWP Admin Panel <= 2.4.2
Issue 2: execute.php unauthenticated SQL injection vulnerability
User-controlled parameter historyID appears without quotes in a SQL query. Additionally, user-controlled parameters historyID and actionID should be escaped by function filterParameters(), but escaping is not being performed, because $DBEscapeString is set to false by default. This allows for SQL injection.
Vulnerable: InfiniteWP Admin Panel <= 2.4.3
Issue 3: uploadScript.php unrestricted file upload vulnerability
Unauthenticated users can upload various file types to the uploads directory, including .php files, if query parameter allWPFiles is set. File names however are suffixed with the .swp extension when written to the file system.
If the following two conditions hold, this leads to PHP injection:
- The
uploadsdirectory must be writable by the webserver. - The webserver must interpret
*.php.swpfiles as PHP code, which happens when Apache is used with configurationAddHandler application/x-httpd-php .phporAddType application/x-httpd-php .php(This is discouraged by PHP, but older distributions and some shared hosts use it)
Vulnerable: InfiniteWP Admin Panel <= 2.4.3
Issue 4: Insecure password storage
Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These passwords can easily be cracked.
Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied.
Vulnerable: All versions including current (2.4.4)
Recommendations
We recommend that users of InfiniteWP take the following actions:
- Upgrade InfiniteWP Admin Panel to version 2.4.4.
- Check the
uploadsdirectory for the presence of any unauthorized file uploads. - Change admin passwords for the InfiniteWP Admin Panel and any Wordpress sites in the panel. Use long and unique passwords.
- Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
- Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a
.htaccessfile to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.
Timeline
- 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
- 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
- 4 Dec: Incomplete fix reported to InfiniteWP
- 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
- 10 Dec: Vulnerabilities published
Credits
The vulnerabilities were found by Walter Hop, Slik BV, The Netherlands.