Lifeforms

publications thesis contact

Multiple vulnerabilities in InfiniteWP Admin Panel

10 Dec 2014

InfiniteWP allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker.

These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin passwords, and in some cases allow PHP code injection.

It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin Panel 2.4.4, and apply the recommendations at the end of this post.

Issue 1: login.php unauthenticated SQL injection vulnerability

User-controlled parameter email appears in a SQL query modified by function filterParameters() which ostensibly "filters" its arguments, but escaping is not being performed, because the parameter $DBEscapeString is set to false by default. This allows for SQL injection.

Vulnerable: InfiniteWP Admin Panel <= 2.4.2

Issue 2: execute.php unauthenticated SQL injection vulnerability

User-controlled parameter historyID appears without quotes in a SQL query. Additionally, user-controlled parameters historyID and actionID should be escaped by function filterParameters(), but escaping is not being performed, because $DBEscapeString is set to false by default. This allows for SQL injection.

Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Issue 3: uploadScript.php unrestricted file upload vulnerability

Unauthenticated users can upload various file types to the uploads directory, including .php files, if query parameter allWPFiles is set. File names however are suffixed with the .swp extension when written to the file system.

If the following two conditions hold, this leads to PHP injection:

  1. The uploads directory must be writable by the webserver.
  2. The webserver must interpret *.php.swp files as PHP code, which happens when Apache is used with configuration AddHandler application/x-httpd-php .php or AddType application/x-httpd-php .php (This is discouraged by PHP, but older distributions and some shared hosts use it)

Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Issue 4: Insecure password storage

Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These passwords can easily be cracked.

Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied.

Vulnerable: All versions including current (2.4.4)

Recommendations

We recommend that users of InfiniteWP take the following actions:

  1. Upgrade InfiniteWP Admin Panel to version 2.4.4.
  2. Check the uploads directory for the presence of any unauthorized file uploads.
  3. Change admin passwords for the InfiniteWP Admin Panel and any Wordpress sites in the panel. Use long and unique passwords.
  4. Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
  5. Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.

Timeline

  • 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
  • 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
  • 4 Dec: Incomplete fix reported to InfiniteWP
  • 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
  • 10 Dec: Vulnerabilities published

Credits

The vulnerabilities were found by Walter Hop, Slik BV, The Netherlands.