This issue happens due to insufficient validation of user-supplied data. Also Affiliates Manager does not properly sanitise the affiliate's data, which could allow for affiliate data to be injected by an admin, resulting in affiliate data being stored in the database in an insecure manner. The following situations allow for affiliate data to be injected by an admin: Using an incorrect affiliate ID (affiliate_id) or password.
Using an expired or invalid cookie.
Using an incorrect affiliate ID (affiliate_id) or password combination.
Using an expired or invalid affiliate cookie.
Using an expired or invalid affiliate ID (affiliate_id) combination.
Using an expired or invalid affiliate cookie.
Using an expired or invalid affiliate password.
Using an expired or invalid affiliate cookie.
Using an expired or invalid affiliate password.
Forcing a single affiliate to be used by a site.
Forcing an affiliate cookie to expire.
Allowing an invalid affiliate ID (affiliate_id) to be used.
Allowing an invalid affiliate cookie to be used.
Allowing an invalid affiliate password to be used.
Forcing an invalid affiliate ID (affiliate_id) to be used.
Allowing an invalid affiliate cookie to be used.
Allowing an invalid affiliate password to be used.
How to check Affiliates Manager for possible values?
The following SQL query will return the data for any given affiliate ID:
SELECT * FROM affiliates WHERE affiliate_id='{affiliate_id}'
This list of values can then be filtered by country.
SELECT * FROM affiliates WHERE affiliate_id='{affiliate_id}' OR (country = 'US' or country = 'CA')
Affiliate Manager – Types of Affiliate Accounts
Affiliate Manager has two types of affiliate accounts. One type of account allows an admin to see the list of affiliates, and the other type allows an admin to create affiliate data.
The following table demonstrates how the two types of accounts work and also shows which types of errors can be prevented by using a different account:
For security reasons, it is important that you use a different account when creating your affiliate data.
Solution:
As a workaround for this issue, use the following security settings:
1. Enable SSL on your site, by adding https:// to the end of the URLs in your themes settings.
2. Update your wp-config.php file with the following two settings: define('DS', true); define('AFFILIATE_ID', 'xxx');
3. Set up an SSL certificate for your site by obtaining one from a reputable provider such as Comodo or GeoTrust and installing it according to their install guide.
4. Always use HTTPS when sending affiliate IDs (including cookie IDs and passwords) via POST requests to prevent exploitation of this issue.
Timeline
Published on: 09/16/2022 09:15:00 UTC
Last modified on: 09/20/2022 14:28:00 UTC