17 Aug

PHP Object Injection Vulnerability in Leaky Paywall

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a PHP object injection vulnerability in the plugin Leaky Paywall, which permits implementing a paywall on a website.

That a plugin used for business purposes has a serious vulnerability is all too common in our experience and is good reminder of the value of getting a security review of plugins that business can make a lot of sense. Through our service, paying customers can suggest and vote for plugins to have a review done. We also recently introduced the option to purchase the same type of review for a plugin of your choice.

The plugin makes the function process_cookie_requests() available through WordPress AJAX functionality whether the request comes from someone that is logged in to WordPress or not (/include/class-restrictions.php):

11
12
add_action( 'wp_ajax_nopriv_leaky_paywall_process_cookie', array( $this, 'process_cookie_requests' ) );
add_action( 'wp_ajax_leaky_paywall_process_cookie', array( $this, 'process_cookie_requests' ) );

In the process_cookie_requests() function, if the cookie “issuem_lp” exists its value would be unserialized, which permits PHP object to occur:

59
60
61
if ( !empty( $_COOKIE['issuem_lp'] ) ) {
	$available_content = maybe_unserialize( stripslashes( $_COOKIE['issuem_lp'] ) );
}

There was similar code in the function process_requests() in the file /class.php, which may also be vulnerable.

After we notified the developer of the issue they released version 4.9.2, which resolves the vulnerability by replacing the usage serialization and unserialization with JSON encoding and decoding.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “issuem_lp” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[valid post ID]” with the ID number of a valid post.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=leaky_paywall_process_cookie&post_id=[valid post ID]

Timeline

  • August 10, 2017 – Developer notified.
  • August 15, 2017 – Developer responds.
  • August 17, 2017 – Version 4.9.2 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *