CVE 2023–23490 — Survey Maker Wordpress Plugin < 3.1.2 — Subscriber+ SQLi
The Survey Maker WordPress Plugin, version < 3.1.2, is been discovered by an authenticated SQL injection vulnerability in the ‘surveys_ids’ parameter of its ‘ays_surveys_export_json’ action.
What is Survey Maker ?
SurveyMaker is a WordPress plugin helps WordPress developers t to create, distribute, and analyze surveys. It provides a user-friendly interface and a range of features to design surveys, collect responses, and gain insights from the data.
Survey-Makers is commonly used for various purposes, including:
- Market Research
- Customer Feedback
- Employee Surveys
- Academic Research
- Event Planning
- Non-profit and Government Surveys
Survey Maker offers a variety of question types, customizable survey templates, survey logic and branching, response validation, and data analysis tools. It provides options to distribute surveys via email invitations, social media, embedded links, or website pop-ups. The collected data can be analyzed using built-in reporting features or exported for further analysis.
Why Wordpress Developer use it ?
It can be multiple reasons why WordPress developers will use survey maker in their organization , some of them I can think can be :
- Consistent Branding
- Data Management
- Audience Engagement
- Flexibility and Customization
- Integration with other WordPress Feature
Build the Lab:
Pre-requisite for the Lab
- Now a days everyone is working on micro-service architecture so why not us so you need a docker 😈
- Docker Downloads , select your appropriate OS and setup docker in your machine:
- https://www.docker.com/products/docker-desktop/
- Debugging tool
- For this POC I have been using VSCODE (Visual Studio Code) for Debugging the code and analysis, please select your desired IDE but if you want to use VSCODE like me please download it from : https://code.visualstudio.com/download
Lab-Setup :
Assuming that you have docker installed and working , let’s continue with the lab setup
Create a working folder at your desired location in your local machine like I created with the below command
mkdir security-research
cd security-research
mkdir cve-2023-23490
NOTE: I have a bad habbit of creating a subfolder under main folder
with the cve which I analyse.cve-<cve-number>So now my directory hierarchy looks like below
Once the working desired folder is created move to the security-research
folder and create a docker-compose.yml
file under security-research
folder
version: "3"
# Defines which compose version to use
services:
# Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image.
db:
image: mysql:5.7
# image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation.
restart: always
environment:
MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD
MYSQL_DATABASE: MyWordPressDatabaseName
MYSQL_USER: MyWordPressUser
MYSQL_PASSWORD: Pa$$5w0rD
wordpress:
depends_on:
- db
build: .
restart: always
# Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immed
ports:
- "8000:80"
# The previous line defines the port that the WordPress container will use. After successful installation, the full path will lo
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: MyWordPressUser
WORDPRESS_DB_PASSWORD: Pa$$5w0rD
WORDPRESS_DB_NAME: MyWordPressDatabaseName
# Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly
volumes:
- ./cve-2023-23490:/var/www/html
volumes:
mysql: {}
I would have loved to explain
docker-compose.yml
file above , but It will make make document lengthy so let me give a short little summary the above docker compose file will createmysql service
along withwordpress
at docker container daemon.Once the
docker-compose.yml
file is created , create a one more file name it asDockerfile
with below content :
FROM php:8.0.0-apache
RUN docker-php-ext-install mysqli
Once both the files (docker-compose.yml
and Dockerfile
)are created , use docker compose up command mentioned below to create wordpress
and mysql
services container:
NOTE : Make sure you are in security-research folder or in the directory where your Dockerfile and docker-compose.yml file is available. Once that confirmed run below command to bring wordpress and mysql container running docker compose up or docker compose up -d The -d flag in the docker-compose up -d command stands for "detached" mode.
To verify the docker container and WordPress is running check with
docker container ls
The command must list the wordpress and mysql container running on port mentioned in the docker-compose.yml
file.
The other way to verify that the WordPress is running please navigate to : http://localhost:8000/
Expected output :
🎉 Congratulations ! you have installed WordPress successfully with mysql service
Background Story
In this Lab I will demonstrate how an authenticated user can exploit the vulnerability discovered in survey maker plugin by manipulating the ‘surveys_ids’ parameter and injecting malicious SQL code into the plugin’s database queries. This will lead anyone to unauthorized access, modification, or extraction of sensitive data stored in the plugin’s database.
Vulnerability Reproduction:
After a successful installation of WordPress and Mysql service let’s setup the WordPress admin by following the step :
Select a Language to install the completion of wordpress in local machine
Signup with your details and Install WordPress plugin
Once the signup is completed please remember the username you have created as that’s the same user will be used to login to the WordPress
After signup please login to the WordPress sign-in page providing the credentials you created in last step for sign-up
Once you are logged in as a admin user install a vulnerable survey maker plugin click on Plugins link in WordPress admin dashboard board side bar:
Search for survey maker
plugin typing the survey maker
search keyboard .
Once you located the survey maker
plugin don’t click the install
button otherwise patched and updated survey maker
plugin will be downloaded we need the vulnerable version so instead install
please click More Details
link .
Once you click on More Details link it will redirect you to the WordPress official plugins website there you will see Survey Maker plugin selected already , just scroll down the website and select advance view:
Scroll down to Development Version dropdown menu select the version 3.1.1 or older and click Download button next to the dropdown
Click Download button next to DropDown
Download Button will download the particular version zip file at local , click on Plugins
tab again from WordPress
admin panel
Click the Upload Plugin button on the top and select the newly downloaded survey-maker
zip file and click Install Now
Once uploaded click Install Now button to install survey-maker , Once installed successfully you will see Survey Maker plugin in your WordPress admin dashboard
If you click Survey Maker you will notice that there is already a default survey available with some Shortcode , sys_survey_id=1 Copy the Shortcode
Click to Posts tab from side bar of the Dashoard and you can see all posts there , there will be some default posts available like Hello world!
Click the Posts title hyperlink to edit the Hello world! post , and click the + icon in the post.
When you click + you will see Shortcode as the option , please enter the Shortcode copied in step 9 above (Survey Maker Shortcode).
Once That’s done click the update button
On the Hello world! blog you can also click Preview button on the top to take a look how the post will view like
Once Hello world! post is updated go back to WordPress admin dashboard and create a new user with subscriber role
Click Users tab from Dashboard side bar and Click on Add New link
Fill up the user details and click Add New User
Verify user creation from Users side bar link in WordPress admin Dashboard
Login with the newly created user
Once the user creation is verified , newly created user with subscriber role can view the Hello world! post created in our previous steps .
Keeping the same user as logged in ,
Please copy the below link and paste it in the browser ,
observe the outcome :http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1
Let’s compose the SQL Command time base Injection command and paste in the url and see if that works we will use default sleep method to delay the response :
http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1 )+AND+(SELECT+1+FROM+ (SELECT(SLEEP(10)))a) — +-
SQL Injection Command BreakDown
http://localhost:8000/wp-admin/admin-ajax.php?action=ays_surveys_export_json&surveys_ids[0]=1 )+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+
is attempting to exploit a SQL injection vulnerability in the 'ays_surveys_export_json' action of the WordPress plugin.
In this case, the URL is structured to modify the behavior of the SQL query executed by the plugin. The ‘surveys_ids’ parameter is being manipulated to include additional SQL code. Let’s break down the URL:
http://localhost:8000/wp-admin/admin-ajax.php
is the URL of the WordPress admin-ajax.php file, which handles AJAX requests in the WordPress backend.action=ays_surveys_export_json
specifies the action parameter, indicating that the 'ays_surveys_export_json' action of the plugin should be triggered.surveys_ids[0]=1
sets the 'surveys_ids' parameter to 1, indicating that the survey with ID 1 should be targeted.
The interesting part comes after the ‘surveys_ids[0]=1’ parameter:
)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+
is appended to the URL. This is a SQL injection attempt to modify the behavior of the SQL query executed by the plugin.- The
)+AND+(
part is used to add additional conditions to the query. SELECT+1+FROM+(SELECT(SLEEP(10)))a
is a subquery that attempts to induce a delay of 10 seconds (via the SLEEP function) in the query execution. This is often used to test for SQL injection vulnerabilities and determine if the server is vulnerable to time-based attacks.-+
is a comment delimiter used to comment out the rest of the original SQL query, effectively nullifying it.
In short the provided URL is trying to exploit the ‘ays_surveys_export_json’ action of the WordPress plugin by injecting malicious SQL code to manipulate the query execution and induce a delay. This attack is attempting to confirm the presence of a SQL injection vulnerability in the plugin and delay in the response did confirmed the same.
Debugging Details
Let’s understand why did that happened and dig more
So to debug the issue I made some changes to the Dockerfile
, docker-compose.yml
file and used my lovely VSCODE (visual studio code) to statically analyze the code and see what might not worked properly for survey maker plugin.
To use VSCODE as a debugger , I installed a plugin named as Xdebug
, to install the Xdebug
plugin click the Run
tab in VSCODE
IDE and select Install Additional Debuggers
As I have already installed which is the reason you can see it says disable , if you are doing it first time you need to install the PHP debugger from xdebug
Once the PHP debugger is installed we need to create the .vscode directory in security-research folder and the launch.json file inside that directory basically they are used to configure the debugging environment for PHP applications using Xdebug in Visual Studio Code (VS Code).
launch.json
file content looks like below
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
"version": "0.2.0",
"configurations": [
{
"name": "Listen for Xdebug",
"type": "php",
"request": "launch",
"pathMappings": {"/var/www/html": "${workspaceRoot}/cve-2023-23490"},
"port": 9003,
"log": true,
}
]
}
NOTE: EXPLAINING THE NEED OF .VSCODE and launch.json file
.vscode Directory: The .vscode directory is a hidden directory
that is automatically recognized by VS Code as the workspace-specific
configuration directory. It allows you to define settings and configurations
specific to your project.**launch.json File**: Inside the .vscode directory, the launch.json
file is used to configure the debugging launch configurations for
your PHP application. It specifies how the debugger should start
and attach to your application when you initiate a debugging session.**Debugging PHP with Xdebug**: Xdebug is a powerful PHP extension
that provides debugging and profiling capabilities. To debug PHP
code using Xdebug, you need to configure your PHP runtime to enable
Xdebug and set up the necessary connection between Xdebug and your
IDE (in this case, VS Code).**Xdebug Listening on Port 9003**: The choice of port for Xdebug
to listen on (e.g., 9003) is a configuration option. By default,
Xdebug listens on port 9003, but in some cases, that port might
already be used by other services. Therefore, to avoid conflicts,
you can specify a different port for Xdebug to listen on.
We also need a php.ini file as well, php.ini configuration file specifically tailored for Xdebug , keep the file under security-research folder
[xdebug]
zend_extension=xdebug.so
xdebug.mode=debug
xdebug.client_host=host.docker.internal
xdebug.client_port=9003
xdebug.discover_client_host=yes
xdebug.remote_cookie_expire_time=3600
xdebug.log=/tmp/xdebug.log
xdebug.discover_client_host=0
xdebug.idekey=VSCODE
Once we have the .vscode , launch.json and php.ini file available at security-research directory created initially , we need to modify Dockerfile and docker-compose.yml file as well to allow Xdebug to work properly
Update the Dockerfile file with below command
FROM php:8.0.0-apache
RUN docker-php-ext-install mysqliARG XDEBUG_INI="/usr/local/etc/php/conf.d/xdebug.ini"RUN pecl install xdebug && docker-php-ext-enable xdebug
The mentioned commands in the Dockerfile are used to install and enable Xdebug for PHP in a Docker container.
Similarly we also need to update the docker-compose.yaml file as well to allow debugging , so update the docker-compose.yaml file :
version: "3"
# Defines which compose version to use
services:
# Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image.
db:
image: mysql:5.7
# image: mysql:5.7 indicates the MySQL database container image from Docker Hub used in this installation.
restart: always
environment:
MYSQL_ROOT_PASSWORD: MyR00tMySQLPa$$5w0rD
MYSQL_DATABASE: MyWordPressDatabaseName
MYSQL_USER: MyWordPressUser
MYSQL_PASSWORD: Pa$$5w0rD
wordpress:
depends_on:
- db
build: .
restart: always
# Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immed
ports:
- "8000:80"
# The previous line defines the port that the WordPress container will use. After successful installation, the full path will lo
environment:
XDEBUG_CONFIG: remote_host=host.docker.internal
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: MyWordPressUser
WORDPRESS_DB_PASSWORD: Pa$$5w0rD
WORDPRESS_DB_NAME: MyWordPressDatabaseName
# Similar to MySQL image variables, the last four
# lines define the main variables needed for the WordPress
# container to work properly , Copying the Xdebug setting file in /usr/local/etc/php/php.ini container
volumes:
- ./cve-2023-23490:/var/www/html
- ./php.ini:/usr/local/etc/php/php.ini
volumes:
mysql: {}
Once all files mentioned above updated for Xdebug , restart the services by using below command
# Docker compose down will bring the service down and
# --volumes flag will remove the Docker volumes associated with the services defined in your Docker Compose file.
docker compose down --volumes
After the changes made for Xdebug services run docker compose up -d
Once the services are running up again let’s put the breakpoint in the code from VSCODE , How to put breakpoint in VSCODE:
Select the php file where you want to put the breakpoint
In our case the action is being called from admin-ajax.php
file and Issue occurs when a authenticated user calls an action ays_surveys_export_json
so I kept the breakpoint in the same file , placing a breakpoint is easy in VSCODE just click on the line number where you want to put the breakpoint
and select
run and select start debugging
or after a breakpoint
settled you can simply press f5
from the keyboard and debugging will be started:
Once we started the debugging you can see whenever admin-ajax.php file is invoked the breakpoints stopped for review of the code , there is a debugger view bar appears automatically
- Continue Button:
2. Step Over
- Step in and Step Out
- Restart and Stop
Continue: This action allows the program execution to continue
without interruption until the next breakpoint is encountered.
It is useful when you want to skip over certain sections of code
and continue debugging from a specific point.
Step Over: Step Over allows you to execute the current line of
code and move to the next line. If the line contains a function call,
it will execute the entire function and return to the next line in the
current scope. It's helpful for quickly moving through code without
diving into the details of function calls.
Step In: Step In is used to step into a function call. If the
current line contains a function call, the debugger will enter the
function and pause at its first line, allowing you to debug the
function's internal code. It's useful for closely examining how a
function behaves and finding any issues within it.
Step Out: Step Out is used to quickly move out of the current
function being debugged. If you're currently inside a function,
this action will execute the remaining lines of the function and
pause at the line where the function was called. It helps in
bypassing the detailed execution of the function and focusing
on the calling code.
Restart: Restarting the debugger means resetting the debugging process.
It clears all breakpoints and variables, and the program starts running
from the beginning. This action is useful when you want to retest a
particular section of code or start the debugging process afresh.
Stop: The Stop action terminates the debugging session completely.
It halts the execution of the program and closes the debugger interface.
It is used when you want to end the debugging process and continue
normal program execution.
All the variables and current running values is visible in the page , we have watch as well where we can place set of variables , functions which we wanted to keep an eye on
Example:
As I logged in as subscriber user , subscriber login details are appearing while doing the debug of the code
I changed the action to ays_surveys_export_json to monitor the action and see which function is being called in survey-maker plugin:
Action been set to :
After checking particular user is logged in or not, it will trigger the wp_ajax_action as being the subscriber user logged in already this will pass on to the action :
Digging Deeper to analyze the code:
if ( is_user_logged_in() ) {
: This line checks if the user is logged in or authenticated. The is_user_logged_in()
function returns true
if the user is logged in and false
otherwise.
if ( ! has_action( "wp_ajax_{$action}" ) ) {
: This line checks if there is a registered action for the current AJAX request. It uses the has_action()
function to check if any callbacks are registered for the specific action.
"wp_ajax_{$action}"
is a dynamic hook name formed by concatenating the"wp_ajax_"
prefix with the value of the$action
variable. This allows WordPress to identify and execute the corresponding callback function for the AJAX action.
wp_die( '0', 400 );
: If no action is registered for the requested AJAX action, this line will be executed. It calls the wp_die()
function to display an error message and terminate the script execution.
- The
'0'
parameter passed towp_die()
represents the response content, which in this case indicates an error. - The
400
status code passed as the second parameter indicates a Bad Request response, indicating that the request was malformed or invalid.
As these information was not quite enough to locate where is the actual culprit, so I stepped in under has_action
method
I did step in to monitor it more closely for has_action()
The **`has_action()`** function is a helper function in
WordPress that checks if any callbacks are registered
for a specific action hook. Here's what the code does:
1. The **`has_action()`** function accepts two parameters: **`$hook_name`**
and **`$callback`** (optional).
2. It internally calls the **`has_filter()`** function, passing
the **`$hook_name`** and **`$callback`** parameters to it.
3. The **`has_filter()`** function is a core WordPress function
that checks if any callbacks are registered for a specific filter
or action hook. It returns **`true`** if at least one callback is
registered, and **`false`** otherwise.
4. By calling **`has_filter()`** and passing the **`$hook_name`**
and **`$callback`** parameters to it, the **`has_action()`**
function effectively checks if any callbacks are registered for
the specified action hook.
5. Finally, the **`has_action()`** function returns the result
of **`has_filter()`**, indicating whether there are callbacks
registered for the given action hook (**`$hook_name`**).
In summary, the **`has_action()`** function is a convenient
wrapper around the **`has_filter()`** function that specifically
checks if there are any callbacks registered for an action hook.
It helps determine if any actions have been hooked to a particular hook name.
As the has_action() did not justified the actual call , so I stepped more in and identified a function apply_filter() inside a class class-wp-hook.php is setting the $callback to survey-maker and function named as ays_surveys_export_json
and the call_user_func_array( $the_[‘function’], $args ); which is in class-wp-hook.php is the one which was calling the function
And finally we discovered the culprit and time for Static Analysis what’s wrong in the code , we discovered this function is available in class-survey-maker-admin.php file so we placed our breakpoint there directly now to analyze the code in next step.
Static Code Analysis
After we reached to the file where the culprit code was available:
I copied the function code to do the analysis
Vulnerable code
//--------------------- Xcho Survey export ------------------------------ public function ays_surveys_export_json() {
global $wpdb; $surveys_ids = isset($_REQUEST['surveys_ids']) ? array_map( 'sanitize_text_field', $_REQUEST['surveys_ids'] ) : array();
$surveys_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'surveys';
$survey_category_table = $wpdb->prefix. SURVEY_MAKER_DB_PREFIX . "survey_categories";
$questions_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX. 'questions';
$questions_category_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'question_categories';
$answers_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'answers';
$sections_table = $wpdb->prefix . SURVEY_MAKER_DB_PREFIX . 'sections';
if(empty($surveys_ids)){
$where = '';
}else{
$where = " WHERE id IN (". implode(',', $surveys_ids) .") ";
}
$sql_survey_categories = "SELECT * FROM ".$survey_category_table;
$survey_categories = $wpdb->get_results($sql_survey_categories, 'ARRAY_A');
$survey_all_categories = array();
foreach ($survey_categories as $survey_categories_key) {
$survey_all_categories[$survey_categories_key['id']] = $survey_categories_key['title'];
}
$sql_surveys = "SELECT * FROM ".$surveys_table.$where;
$surveys = $wpdb->get_results($sql_surveys, 'ARRAY_A');
$data = array();
$data['ays_survey_key'] = 1;
$data['surveys'] = array();
foreach ($surveys as $survey_key => &$survey) {
$questions_id = trim($survey['question_ids'], ',');
$survey_cat_ids = explode(',' , $surveys[$survey_key]['category_ids']);
foreach ($survey_cat_ids as $survey_cat_key) {
$surveys[$survey_key]['survey_categories'][$survey_cat_key] = $survey_all_categories[$survey_cat_key];
}
unset($survey['id']);
unset($survey['category_ids']);
if(empty($questions_id)){
$survey["questions"] = array();
}else{
$sql_sections = "SELECT id,title,ordering FROM ".$sections_table." WHERE id IN (". esc_sql( $survey['section_ids'] ) .")";
$sections = $wpdb->get_results($sql_sections, 'ARRAY_A');
$sql_question_cat = "SELECT * FROM ".$questions_category_table;
$questions_categories = $wpdb->get_results($sql_question_cat, 'ARRAY_A');
$categories = array();
foreach ($questions_categories as $question_key) {
$categories[$question_key['id']] = $question_key['title'];
}
$sql_questions = "SELECT * FROM ".$questions_table." WHERE id IN (". esc_sql( $questions_id ) .")" ;
$all_questions = $wpdb->get_results($sql_questions, 'ARRAY_A');
$cat_ids = '';
foreach ($all_questions as $key => &$question) {
$all_questions[$key]['answers'] = $this->get_question_answers($question['id']);
$cat_ids = explode(',' , $all_questions[$key]['category_ids']);
foreach ($cat_ids as $cat_key) {
$all_questions[$key]['question_categories'][$cat_key] = $categories[$cat_key];
}
}
}
$survey['sections'] = $sections;
$survey['questions'] = $all_questions;
}
$data['surveys'] = $surveys; $response = array(
'status' => true,
'data' => $data,
'title' => 'surveys-export',
);
echo json_encode($response);
wp_die();
}
The Flaw in the code:
Assumption Might be:
I think developer must have said look I have the sanitization for survey_ids
available so we are good and safe from SQL Injection 🙊
$surveys_ids = isset($_REQUEST['surveys_ids']) ? array_map( 'sanitize_text_field', $_REQUEST['surveys_ids'] ) : array();
Truth:
The sanitization performed by sanitize_text_field()
is not designed to handle SQL injection attacks. It primarily focuses on removing or escaping characters that could cause issues when displaying the input on a webpage, such as HTML tags or special characters. So even with the sanitization, the code is still vulnerable to SQL injection.
Demo How ?
So let’s open the admin-ajax.php
page again and in action provide the function name and and under surveys_id[0]=
pass this value 1 )+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+
To monitor it closely I placed a breakpoint in the ays_surveys_export_json method and kept surveys_ids under watch window
So some default URL encoding might replaced our +
by space
🙈😃
And sanitize_text_field
did not do anything specific and just moved to the next line as you can see in below watch window
Now as the survey_ids are not empty the command get concatenated with where clause
After a concatenation the final version of the command became :
SELECT * FROM wp_ayssurvey_surveys WHERE id IN (1) AND (SELECT 1 FROM (SELECT(SLEEP(10)))a)-- -)
SELECT * FROM wp_ayssurvey_surveys: This part of the
query selects all columns (*) from the table named wp_ayssurvey_surveys.
It is the main part of the query that fetches data from the table.
WHERE id IN (1): This condition filters the results based on the id column.
In this case, it specifies that only rows with an id value of 1 should
be included in the result.AND (SELECT 1 FROM (SELECT(SLEEP(10)))a): This is an injected subquery.
It attempts to execute a SELECT statement with a SLEEP(10) function call.
The purpose of the SLEEP() function is to introduce a delay in the query
execution. In this case, it pauses the execution for 10 seconds.-- -: This is a comment used to bypass any remaining part of the original
query. It effectively comments out the rest of the query to avoid syntax
errors.
How the Attacker would abuse this ?
So the injected subquery is an example of a time-based blind SQL injection attack. By manipulating the input, we tried to delay the response from the database server, which was an indication of a successful injection.
- Data Manipulation: Attackers can modify or delete data within the database, altering the integrity of the application. This can result in data loss, corruption, or manipulation of important records.
- Privilege Escalation: By injecting specific SQL statements, an attacker may attempt to escalate their privileges within the system. For example, they can try to elevate their user privileges to gain administrative access or execute commands with higher privileges.
- Database Takeover: Exploiting SQL injection vulnerabilities, attackers can potentially gain control over the entire database server. They can execute arbitrary SQL commands, create new database accounts, modify database schemas, or even execute commands on the underlying operating system.
- Denial of Service (DoS): Attackers can use SQL injection as a means to launch DoS attacks by crafting malicious queries that consume excessive server resources, leading to performance degradation or server unavailability.
- Remote Code Execution: In some cases, SQL injection vulnerabilities can allow attackers to execute arbitrary code on the server. This can lead to complete compromise of the server and allow the attacker to execute any commands or scripts within the server’s environment.
Patch Diffing
The impacted file **
class-survey-maker-admin.php**
where the code available in the vulnerable version < 3.1.2
has a function ays_surveys_export_json
and In the patched code Survey Maker
just removed the code for the patch.
By removing the ays_surveys_export_json
function, the survey maker eliminates the immediate risk associated with the vulnerable code. This prevents attackers from exploiting the SQL injection vulnerability through that specific entry point.
However, it’s important to note that simply removing the vulnerable function may not be sufficient to fully patch the vulnerability. As the entry point may change but vulnerability might can exist.
MITIGATION:
As this is the plugin issue so Survey Maker created a new release in which they removed the code from the file and the vulnerable function doesn’t exists in the releases , so an upgrade to the version 3.1.2 and above will resolve the issue.
Final Thoughts:
I think the problem id un-awareness or not much knowledge of security ,I think developers needs to understand and follow secure coding practices, such as using secure coding guidelines, avoiding dynamic SQL queries whenever possible, and conducting code reviews to
identify and fix potential vulnerabilities.They need to ensure that development team is aware of the risks associated with SQL injection and educated on secure coding practices.
Regularly train and update developers on the latest security best practices to maintain a proactive security posture.And also Perform regular security testing, including vulnerability
assessments and penetration testing, to identify and mitigate SQL injection vulnerabilities. Automated tools and manual code reviews can also help identify potential issues.
Resources
https://vulmon.com/vulnerabilitydetails?qid=CVE-2023-23490&scoretype=cvssv3
https://www.docker.com/products/docker-desktop/
https://code.visualstudio.com/download
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
https://www.docker.com/101-tutorial/
#cve #wordpress #survey-maker #CVE-2023–23490 #analysis #vicarius_blog #wp-plugin