The source of the attack was discovered to be the id parameter, which is not sanitized before being injected into a SQL query. This allowed for users to inject unapproved data into the database, resulting in a possible information leak. The id parameter is used for routing requests and assigning each request a unique number. As mentioned, the id parameter is not validated before it’s used in a SQL query, allowing for user-controlled input to be injected into a SQL query. This could lead to a user being logged out with the privileges of another user; for example, a user who has been assigned the “Manager” role could be logged out as a “Admin” with all the privileges of an “Admin”. An attacker could use this to obtain another user’s credentials, potentially leading to a full account takeover.

CVE-2016-7143

The vulnerability was discovered on the WordPress REST API 3.2 version, which is a backwards-compatible version of the REST API. The vulnerability was found in the usage of parseTree function to represent trees. It has been reported that this function will not correctly return all nodes in a node tree. This means that if a user sends a request for the parsed tree, it may not be returned to them.
Some websites that have been affected:
https://www.thesun.co.uk/money/3558197/the-sun-displays-up-to-4m-inaccurate-adverts
https://www.pinterest.com/pin/create/?url=https%3A%2F%2Fwww.pinterest.com%2Fpin%2F218776810372538390&media=https%3A%2F%2Fi0w1t5k8t6snds7s9s6f1nc

CVE-2023-36693

This vulnerability was discovered to be an unvalidated SQL injection. The id parameter is used to identify a unique request and assign it a number. When the id parameter is not sanitized, it can allow for user-controlled input to be injected into a SQL query. This could lead to a user being logged out with the privileges of another user; for example, a user who has been assigned the “Manager” role could be logged out as a “Admin” with all the privileges of an “Admin”. An attacker could use this vulnerability to obtain another user’s credentials, potentially leading to full account takeover

SQL injection

SQL injection is a type of injection attack where attacker injects malicious SQL commands into an application. By injecting the command, the attacker can manipulate tables, insert or delete data, bypass authorization checks, and execute system commands. SQL injection is often used when an application has input sanitization flaws in its database queries. It’s important to note that this isn’t a vulnerability specific to any one application as there are many types of software which could be vulnerable to SQL injection attacks.

SQL Injection: An Overview

SQL injection is a type of attack that occurs when an attacker attempts to inject unvalidated input into a SQL query. The input is then used as part of the query, which can lead to unintended and undesirable consequences.
All web applications use some form of SQL queries. SQL queries are used by all types of applications, including backend servers, user interfaces, and mobile apps. Because the id parameter is not validated before it’s used in a SQL query, this could be an issue for any application that uses it.

Timeline

Published on: 08/25/2022 22:15:00 UTC
Last modified on: 08/27/2022 02:29:00 UTC

References