Search This Blog

Showing posts with label Blind SQL Injection Vulnerability. Show all posts

Blind SQL Injection Flaw in WP Statistics Affected 600K+ Sites

 

According to researchers from Wordfence Threat Intelligence, WP Statistics has a Time-Based Blind SQL Injection vulnerability which is a WordPress plugin with over 600,000 active downloads. VeronaLabs developed the plugin, which provides site owners with comprehensive website statistics.

An unauthenticated attacker may use the vulnerability to extract sensitive information from a WordPress website using the vulnerable plugin. The vulnerability has a CVSS score of 7.5 (high severity), and it affects plugin versions prior to 13.0.8. 

Accessing the WP Statistics "Pages" menu item, which produces a SQL query to provide statistics, allows site administrators to see comprehensive statistics about their site's traffic. Researchers discovered that even without admin rights, it was possible to access the WP Statistics "Pages." 

The analysis published by Wordfence states, “While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” 

“Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.” 

As the SQL query did not use a prepared statement, an attacker could easily exploit the input parameter to circumvent the esc sql function and generate queries that could enable an attacker to extract sensitive data from the site, such as user addresses, password hashes, and encryption keys and salts. 

“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” the post further read. 

The timeline for the vulnerability is as follows: 

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and Security Affairs provides full disclosure. 

March 15, 2021 – VeronaLabs replies with a fixed version for Security Affairs to test and they verify that it corrects the issue. 

March 25, 2021 – A patched version of the plugin, 13.0.8, is released.

Foxconn website hacked and database leaked by hacker D35m0nd142


Hacker with twitter handle "D35m0nd142" has claimed to have breached the website of Foxconn, a Taiwanese multinational electronics contract manufacturing company.

Hacker exploited a Blind SQL Injection vulnerability in the subdomain "cq.foxconn.com" and compromised the database.

"//Admins warned..I didn't do any damage..It is just the proof of the giant vulnerability which affects the website.." Hacker said. "This is just a small piece of database and passwords are encrypted in order to prevent damage from other attackers with malicious purposes."

The dump((pastebin.com/PZ9BbbVA) contains the database details, email address, passwords.

Blind SQL Injection vulnerability in PayPal Notifications website



An Indian Security Researcher Prakhar Prasad has discovered a Blind SQL Injection vulnerability in Paypal Notifications website(paypal-notify.com) that allowed researcher to access database of Paypal notification system.

" As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team " The researcher said in his blog.


SQLMap displays the Database name after injection


The PayPal security team patched the vulnerability immediately, just the next day after the Prasad's vulnerability report due to its high severity.

The Paypal security team patched the vulnerability and rewarded the researcher with $3000 for the SQLi and additional $350 for other less critical bugs on 21st January.