02 Mar

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WL Katalogsøk

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In the plugin WL Katalogsøk, user input is passed through the unserialize() function, which could lead to PHP object injection, when visiting a page using one of its shortcodes.

The plugin makes the function showSingleItem() available through a shortcode:

4
add_shortcode("wl-ils-enkeltpost", array('MBShortcode', "showSingleItem") );

That function, which is located in the file /lib/WL_Shortcode.php, assigns the value of the GET input “enkeltpostinfo” to the variable $info and then unserializes the base64_decoded version of it:

87
88
89
90
91
public static function showSingleItem ($atts) {
  $postout = null;
 
  if ( $info = _is($_GET, 'enkeltpostinfo') ) {
    $item_info = unserialize(base64_decode($info));

Even if the shortcode that causes that function to run is not used on the website, any one logged in to WordPress could access it, like they can shortcodes in general, through WordPress’ AJAX functionality and the vulnerability is also exploitable that way as well.

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, visiting the following page will cause the message “PHP object injection has occurred.” to be shown.

Make sure to replace “[path to page with enkeltpostinfo shortcode]” with the location of a page with the shortcode “enkeltpostinfo” on it.

http://[path to page with enkeltpostinfo shortcode]?enkeltpostinfo=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=

Timeline

  • February 22, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *