Headline
CVE-2023-2484: class-mo-ldap-user-auth-reports.php in ldap-login-for-intranet-sites/trunk – WordPress Plugin Repository
The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
1<?php2/**3 * This file renders user authentication reports table.4 *5 * @package miniOrange_LDAP_AD_Integration6 * @subpackage Main7 */89if ( ! defined( ‘ABSPATH’ ) ) {10 exit;11}12if ( ! class_exists( ‘WP_List_Table’ ) ) {13 require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php’;14}1516if ( ! class_exists( ‘MO_LDAP_User_Auth_Reports’ ) ) {17 /**18 * MO_LDAP_User_Auth_Reports : This Class contains function for LDAP authentication reports.19 */20 class MO_LDAP_User_Auth_Reports extends WP_List_Table {2122 /**23 * __construct24 *25 * @return void26 */27 public function __construct() {2829 parent::__construct(30 array(31 ‘singular’ => __( 'User’, ‘ldap’ ),32 ‘plural’ => __( 'Users’, ‘ldap’ ),33 ‘ajax’ => false,34 )35 );3637 }3839 /**40 * Function get_users : get user authentication reports.41 *42 * @param mixed $per_page Entries on each page.43 * @param mixed $page_number Current page to display.44 * @return array45 */46 public static function get_users( $per_page, $page_number ) {4748 global $wpdb;4950 $order_by = 'time’;51 $order = 'asc’;52 if ( ! empty( $_GET[‘orderby’] ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended – fetching GET parameter for changing table layout.5354 $order_by = sanitize_text_field( wp_unslash( $_GET[‘orderby’] ) ); //phpcs:ignore WordPress.Security.NonceVerification.Recommended – fetching GET parameter for changing table layout.55 if ( ! empty( $_GET[‘order’] ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended – fetching GET parameter for changing table layout.56 $order = sanitize_text_field( wp_unslash( $_GET[‘order’] ) ); //phpcs:ignore WordPress.Security.NonceVerification.Recommended – fetching GET parameter for changing table layout.57 }58 }59 $wp_user_reports_pagination_cache = wp_cache_get( ‘wp_user_reports_pagination_cache’ );60 if ( $wp_user_reports_pagination_cache ) {61 $result = $wp_user_reports_pagination_cache;62 } else {63 $result = $wpdb->get_results( //phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery – Fetching data from a custom table.64 $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}user_report ORDER BY %1s %1s LIMIT %d OFFSET %d", array( $order_by, $order, $per_page, ( $page_number - 1 ) * $per_page ) ), //phpcs:ignore WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder – Fetching data from a custom table.65 'ARRAY_A’66 );67 wp_cache_set( 'wp_user_reports_pagination_cache’, $result );68 }6970 $total_records = count( $result );71 for ( $i = 0;$i < $total_records;$i++ ) {72 $j = $i + 1;73 $result[ $i ][‘id’] = (string) $j;74 }7576 return $result;77 }7879 /**80 * Function record_count : Return the total number of records.81 *82 * @return int83 */84 public static function record_count() {85 global $wpdb;86 $wp_user_reports_count_cache = wp_cache_get( ‘mo_ldap_user_report_count_cache’ );87 if ( $wp_user_reports_count_cache ) {88 return $wp_user_reports_count_cache;89 }90 $user_count = $wpdb->get_var( “SELECT COUNT(*) FROM {$wpdb->prefix}user_report” ); //phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery – Fetching data from a custom table.91 wp_cache_set( 'mo_ldap_user_report_count_cache’, $user_count );92 return $user_count;93 }9495 /**96 * Function column_default : Default column name.97 *98 * @param mixed $item Item.99 * @param mixed $column_name Name of the column.100 * @return string101 */102 public function column_default( $item, $column_name ) {103 switch ( $column_name ) {104 case 'id’:105 case 'user_name’:106 case 'time’:107 case 'ldap_status’:108 case 'ldap_error’:109 return $item[ $column_name ];110 }111 }112113 /**114 * Function get_columns : Get columns.115 *116 * @return array117 */118 public function get_columns() {119 return array(120 ‘id’ => __( ‘Sr No.’ ),121 ‘user_name’ => __( ‘Username’ ),122 ‘time’ => __( 'Time <br>(UTC + 0)' ),123 ‘ldap_status’ => __( ‘Status’ ),124 ‘ldap_error’ => __( ‘Additional Information’ ),125 );126 }127128 /**129 * Function get_sortable_columns : Get sortable columns.130 *131 * @return array132 */133 public function get_sortable_columns() {134 return array(135 ‘user_name’ => array( 'user_name’, true ),136 ‘time’ => array( 'time’, true ),137 );138 }139140 /**141 * Function prepare_items : Prepare items.142 *143 * @return void144 */145 public function prepare_items() {146147 $this->_column_headers = $this->get_column_info();148149 $per_page = $this->get_items_per_page( 'Users_per_page’, 10 );150 $current_page = $this->get_pagenum();151 $total_items = self::record_count();152153 $this->set_pagination_args(154 array(155 ‘total_items’ => $total_items,156 ‘per_page’ => $per_page,157 )158 );159160 $this->items = self::get_users( $per_page, $current_page );161 }162163 }164}