22 Sep

PHP Object Injection Vulnerability in TAKETIN To WP Membership

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found a PHP object injection vulnerability in the TAKETIN To WP Membership plugin.

In the file /classes/taketin-mp-utils.php the function getMessage() as of version 1.2.7 would unserialize the value of the cookie “taketin_mp_error”, which permitted PHP object injection:

346
347
348
349
350
public static function getMessage(){
	if(!isset($_COOKIE[TMP_ERR_MSG_COOKIE_KEY])){
		return false;
	}
	$mess = unserialize(base64_decode($_COOKIE[TMP_ERR_MSG_COOKIE_KEY]));

One of the places that function is called is in the file /views/forgot_password.php:

10
$msg = TaketinMpUtils::getMessage();

That file is included by the function reset() (in the file /classes/taketin-mp-membership.php):

403
404
405
406
407
408
409
410
411
public function reset() {
	//$succeeded = $this->notices();
	//if ($succeeded) {
	//    return '';
	//}
	ob_start();
	//Load the forgot password template
	$template_files = TMP_MEM_PATH . 'views/forgot_password.php';
	require( $template_files );

That function is called when the shortcode “tmp_reset_form” is used:

20
add_shortcode('tmp_reset_form', array(&$this, 'reset'));

Less than day after we notifying the developer of the vulnerability they released version 1.2.8, which fixes the vulnerability by replacing usage of unserialize() with json_decode() (as well as replacing a connected usage of serialize() with json_encode()):

352
$mess = json_decode(base64_decode($_COOKIE[TMP_ERR_MSG_COOKIE_KEY]), true);

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “taketin_mp_error” to “TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=” and then when you visit a post or page with the shortcode “tmp_reset_form” on it the message “PHP object injection has occurred.” will be shown.

Timeline

  • September 21, 2017 – Developer notified.
  • September 21, 2017 – Developer responds.
  • September 21, 2017 – Version 1.2.8 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *