Disclosure: WordPress WPDB SQL Injection - Technical

Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.

The foundations of this vulnerability was reported via Hacker-One on September 20th, 2017.

This post will detail the technical vulnerability as well as how to mitigate it. There is another post which deals with the background and time-lines.

Disclosure: WordPress WPDB SQL Injection - Background

Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.

The foundations of this vulnerability was reported via Hacker-One on September 20th, 2017.

This post will detail the background on the vulnerability as well as why I publicly threatened to Fully Disclose. There is another post which deals with the technical vulnerability.

Trust

Stop and take a moment to think about how much trust is required to live your everyday life. Every single aspect of your life is built up on layer after layer of trust, it’s nothing short of staggering. Different aspects of life will contain different levels of trust, with some being very guarded and some being very lax. We don’t often talk about this trust and we often make the blind assumption that trust is inherently a bad thing. That’s most definitely not the case. Let’s explore why.

Security Issue: Combining Bcrypt With Other Hash Functions

The other day, I was directed at an interesting question on StackOverflow asking if password_verify() was safe against DoS attacks using extremely long passwords. Many hashing algorithms depend on the amount of data fed into them, which affects their runtime. This can lead to a DoS attack where an attacker can provide an exceedingly long password and tie up computer resources. It’s a really good question to ask of Bcrypt (and password_hash). As you may know, Bcrypt is limited to 72 character passwords. So on the surface it looks like it shouldn’t be vulnerable. But I chose to dig in further to be sure. What I found surprised me.

A Lesson In Security

Recently, a severe SQL Injection vulnerability was found in Drupal 7. It was fixed immediately (and correctly), but there was a problem. Attackers made automated scripts to attack unpatched sites. Within hours of the release of the vulnerability fix, sites were being compromised. And when I say compromised, I’m talking remote code execution, backdoors, the lot. Why? Like any attack, it’s a chain of issues, that independently aren’t as bad, but add up to bad news. Let’s talk about them: What went wrong? What went right? And what could have happened better? There’s a lesson that every developer needs to learn in here.

Why I Don't Recommend Scrypt

As many of you likely know, I have a “thing” for password storage. I don’t know what it is about it, but it fascinates me. So I try to keep up as best as I can on the latest trends. In the past few years, we’ve seen the rise of a new algorithm called scrypt (it’s 5 years old actually). It’s gaining more and more adoption. But I don’t recommend its use in production systems for password storage. Let me explain why:

Don't Worry About BREACH

Last week at the BlackHat security conference, a new attack on SSL secured content was unveiled. This attack is called BREACH, and has been generating a lot of buz on the internet. Tech blogs have been plastering their sites with articles about how there’s no fix, and how you can try to defend against BREACH. Well respected security people have been writing about it.

And I’m here to say don’t worry about it.

Disclosure: WordPress WPDB SQL Injection Vulnerability

At the current point in time there exists a very significant SQL Injection vulnerability in the WordPress code base. I want to make it abundantly clear that this does not affect anyone using WordPress “off the shelf”. It only is exploitable if you use certain WordPress code outside of a WordPress install. So this is not a very “attackable” vulnerability. Or to put it in other terms, this is a high level vulnerability which has a very low threat level. It is also worth noting that it has not been fixed by WordPress (even 90 days after disclosure).

Our Failure As An Industry

In the April issue of the PHPArch magazine (also published on her blog), Elizabeth Tucker Long wrote a really interesting editorial piece coining a concept she called Security-Driven-Development. She (quite correctly) identified a problem in the current development community where security has become an after-thought (if it’s thought of at all). This isn’t a new concept, in fact it’s a concept that I and many others have been preaching for quite a while now. However I’ve been coming to realize that I’ve had it wrong the whole time. And I think the entire industry is getting it wrong today.