Security vulnerabilities in miniOrange (7)
Site takeover through broken 2FA in combination with SQLi – (miniOrange <= 5.5.82)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
Site takeover through stolen API credentials in combination with SQLi – (miniOrange <= 5.5.82)
Affected plugin miniOrange Active installs 20,000+ Vulnerable version <= 5.5.82 Audited version 5.5.82 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses remote APIs in almost all authentication-related contexts. In addition, the plugin authenticates itself using information stored exclusively as plaintext in the database. An attacker, armed with a read-only […]
Compromise of 2FA secrets and backup codes possible through read-only SQLi – (miniOrange <= 5.5.82)
The plugin stores users’ emergency backup codes as plain text in the database. Furthermore, users’ TOTP secret keys are encrypted but the encryption keys are stored in the same database as the encrypted ciphertexts. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Insecure Randomness for encryption keys – (miniOrange <= 5.5.82)
The plugin uses a non-randomly-generated, eight-character string as OpenSSL encryption keys.
Rate limit bypass through User-Agent spoofing – (miniOrange <= 5.5.82)
An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.
DOS through IP spoofing – (miniOrange <= 5.5.82)
The plugin is wide open to IP spoofing all over the board which an attacker can exploit to permanently ban search-engine crawlers, legitimate users, or the site’s reverse proxy.
Site compromise through leaked wp-config – (miniOrange <= 5.5.82)
The plugin stores filesystem and database backups as unencrypted .zip archives in the wp-uploads directory. The only protection is a .htaccess file which is ignored by NGINX. Since most web servers are configured to allow access to zip files in the wp-uploads directory, an attacker can download arbitrary backups and take over the entire site by stealing the wp-config salts.