A vulnerability has been identified in the Adminer WP plugin which allows attackers to authenticate/connect to your local/internal WP DBs from the public internet.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160728-0001
This issue was successfully tested on the Adminer WordPress Plugin version 1.4.4.
Currently no fix for this issue is available.
The Adminer WordPress plugin is a full-featured MySQL management tool based on the Adminer project. The plugin allows fast database management for WordPress admins. After installation of the plugin your database can be managed easily from within the WordPress Dashboard via the Tools -> Adminer menu option.
It has been identified that some versions of this plugin, expose a PHP script, that can be used to login to and manage (after a successfull login!) your connected WordPress DB from the internet. It doesn't matter if your DB runs on local host or somewhere else in your internal network.
Please note however, that an attacker still needs to provide a username and password to the script to login to your DB. However, we decided to still report this since many site owners probably don't know that such "functionality" exit which allows anyone to try to login to their local/internal DB from the outside. Altough bad opsec, pretty often local or internal DBs have easy credentials assigned to them, since people assume only trusted internal sysadmins are able to connect to it anyway.
This issue exists because a publicly accessible interface (Adminer editor) is exposed that can be used by anyone from the web. No login to the WordPress dashboard is required. From git it seems that the Adminer editor component was added early '16.
Since an attacker can also specify the target host:port combination of the database to connect too, this issue can also be used to connect to any (also non WP) databases which are accessible from the target WordPress server.
The script has a measure in place to limit brute-force attacks. Upon 30 connection attempts from a single IP your IP will be blocked for 30 minutes.
The script can be found at the following location:
http://<target>/wp-content/plugins/adminer/inc/editor/index.php
Using Google many sites can be found that have a publicly accessible database login page exposed:
https://www.google.nl/search?q=inurl:/adminer/inc/
- http://<target>/wp-content/plugins/adminer/inc/editor/index.php
- http://<target>/wp-content/plugins/adminer/inc/editor/index.php?server=10.0.0.1&username=root&db=wordpress&password=root
