SQL Injection Vuln. Found in WP Fastest Cache November 14, 2023
The recent revelation of a vulnerability in the WP Fastest Cache plugin has added another chapter to the ongoing WordPress security saga. This flaw, while severe in nature, stems from a simple oversight, and fortunately, the remedy is equally straightforward. However, the very existence of such vulnerabilities continues to shine a spotlight on the WordPress ecosystem's troubling pattern of security lapses, painting a picture of a platform culture that is increasingly seen as unsecure and unreliable.
First, let's look at a framing-worthy piece of code:
public function is_user_admin(){
global $wpdb;
foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
if(preg_match("/wordpress_logged_in/i", $cookie_key)){
$username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);
break;
}
}
if(isset($username) && $username){
$res = $wpdb->get_var("
SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`,
`$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
FROM `$wpdb->users` INNER JOIN `$wpdb->usermeta`
ON `$wpdb->users`.`user_login` = \"$username\" AND
`$wpdb->usermeta`.`meta_key` LIKE \"%_user_level\" AND
`$wpdb->usermeta`.`meta_value` = \"10\" AND
`$wpdb->users`.`ID` = `$wpdb->usermeta`.user_id ;"
);
return $res;
}
return false;
}
The code in question performs two primary functions: firstly, it extracts the login information of the authenticated WordPress user from the browser cookie. Subsequently, it uses this information to verify if the user possesses admin rights in the database. However, it's crucial to understand that the server itself doesn't actively "retrieve" a cookie; rather, these cookie values are automatically sent by the web browser with each request and can be arbitrarily set.
The real issue arises in the second step, where the extracted cookie value is directly used in a database query without any form of filtering. This practice is a textbook example of a SQL injection vulnerability. Such a vulnerability doesn't necessarily produce immediate visible results but allows a malicious user to execute any SQL query they desire, potentially leading to database modification or destruction. This type of attack is known as a 'blind SQL injection,' where the perpetrator can cause damage without seeing the direct impact of their actions.
A more complex form of this attack is the "blind timing injection." It sounds complicated but operates on a simple principle. For instance, a query like "select id from users where id=123 and sleep(2);" would cause a server delay of two seconds if user 123 exists. Otherwise, the server avoids the delay, revealing user information through the timing difference.
Stepping back from the technicalities, it's worth examining why the plugin author chose to read raw cookie data. Is there not a standard method to check if a logged-in user is an "admin"? WordPress does offer an "is_admin" function. However, the concept of an "admin" in WordPress is vaguely defined, leading to convoluted and often insecure user identity management, in contrast to more structured systems like Antradar's Gyroscope, which uses a role-vector-based approach.
A safer implementation for the plugin would involve using the "get_current_user_id" method instead of relying on browser cookies. The responsibility for this oversight lies squarely with the plugin author. Even in the latest "fix" for the wp-fastest-cache plugin, the fundamental approach remains unchanged. The only difference is that the cookie value is now processed through an "esc_sql" function, showing a lack of understanding that 1) a more appropriate method exists for obtaining the signed-in user ID, and 2) a parameterized query is a more secure option than concatenating a query string.
On a broader scale, this incident highlights significant issues in the WordPress plugin ecosystem. Given WordPress's performance limitations, cache plugins like Wp-Fastest-Cache are nearly essential for users. Yet, the structure of the plugin ecosystem absolves WordPress creators from any responsibility for plugin malpractices, nor do they actively regulate the quality of these third-party additions. This situation leaves users vulnerable to security breaches stemming from poorly designed or maintained plugins.
