Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Giveaway Boost
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).
In the plugin Giveaway Boost the value of a cookie is passed through the unserialize() function, which could lead to PHP object injection. That occurs in the function gb_getcookie(), which is located in the file /includes/cookies.functions.php:
11 12 | function gb_getcookie($name, $default = false) { $value = isset($_COOKIE[$name]) ? maybe_unserialize(stripslashes($_COOKIE[$name])) : $default; |
That code will run on the plugin’s promotion pages.
We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “gb_tracking_” plus the post ID number to “O:20:”php_object_injection”:0:{}” when on one of the plugin’s promotion pages then the message “PHP object injection has occurred.” will be shown. The post ID can be found to the right of the text “gb_entry_” in the page’s source code.
Timeline
- July 2, 2018 – Developer notified.