_ _
/ | _| |_ _ _____ ___ ___ ___ ___ ___
_ / / | . | | | | . | _| . | _| -_|
|_|_/ |___|___|_|_|_| _|___|___|_| |___|
|_|
2019-05-07
CSRF & Authed SQLi in 'wp-booking-system' WordPress plugin
==========================================================
CVE-2019-12239
Two authenticated SQL injection vulnerabilities were found in
wp-booking-system v1.5.1.[1]. At the time of writing this,
wordpress.orgreports 9000+ active installations. Prepared statements are used correctly
in a lot of places, however unfortunately two queries were missed.
Due to the required authentication in order to reach the vulnerable code,
the complexity of exploitation is the same as the complexity involved in
gaining access to an administrative user session. Luckily for the
attacker, no CSRF protective mechanisms (WordPress nonce[2]) were found.
It is therefore possible for an attacker to craft a malicious webpage that
once visited by an authenticated administrative user, will trigger the
SQL injection vulnerability.
# Bug1 details
wp-booking-system.php:
103 add_action('wp_ajax_bookingModalData' , 'bookingModalData_callback');
include/bookingAjax.php:
2 function bookingModalData_callback() {
3 global $wpdb;
4 $sql = 'SELECT * FROM ' . $wpdb->prefix . 'bs_calendars WHERE
calendarID = ' . $_POST['calendarID'];
5 $calendar = $wpdb->get_row( $sql, ARRAY_A );
# Bug2 details
include/pluginStructure.php:
6 function wpbs_calendars(){
7 $do = (!empty($_GET['do'])) ? $_GET['do'] : 'calendars';
8 switch($do){
..
49 case 'booking-delete':
50 include WPBS_DIR_PATH . '/controllers/bookings/
booking-delete.php';
..
54 }
55 }
controllers/bookings/booking-delete.php:
4 $sql = 'SELECT * FROM ' . $wpdb->prefix . 'bs_bookings WHERE bookingID
= '. $_GET['bookingID'] .'';
5 $booking = $wpdb->get_row( $sql, ARRAY_A );
# Proof of discovery
twitter.com/magnusstubman/status/1125370125409038338 $ cat a | base64 -b 75
JHNxbCA9ICdTRUxFQ1QgKiBGUk9NICcgLiAkd3BkYi0+cHJlZml4IC4gJ2JzX2Jvb2tpbmdzIFd
IRVJFIGJvb2tpbmdJRCA9ICcuICRfR0VUWydib29raW5nSUQnXSAuJyc7Cg== $ sha256sum a
27d3119bfb55a985aa8b8f521fd61089f9f0c6cc5d8ea018f475369c61bac95a a
# Timeline
2019-05-07 Public disclosure
2019-05-07 CVE-ID requested
2019-05-07 Vendor released update
2019-05-20 CVE-2019-12239 assigned
# References
1:
wordpress.org/plugins/wp-booking-system2:
codex.wordpress.org/WordPress_Nonces$