17 Sep 2018

Our Proactive Monitoring Caught an Exploitable Vulnerability in Events Made Easy

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In a change made to the plugin Events Made Easy last week, code was added to the plugin that would pass the value of a cookie, “eme_client_time” through the unserialize() function, which could lead to PHP object injection. One of the locations that was added to was in the function eme_client_clock_ajax() in the file /eme_functions.php:

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
function eme_client_clock_ajax() {
   global $eme_timezone;
   $valid = true;
   // Set php clock values in an array
   $phptime_obj = new ExpressiveDate(null,$eme_timezone);
   // if clock data not set
   if (!isset($_COOKIE['eme_client_time'])) {
      // no valid data received
      $valid = false;
      // ret=1 will cause the client browser to refresh, this will allow the cookie to be read upon refresh (and so no global var is needed)
      $ret='1';
      // Preset php clock values in client cookie for fall-back if valid client clock data isn't received.
      $client_timeinfo['eme_client_unixtime'] = (int) $phptime_obj->format('U'); // Integer seconds since 1/1/1970 @ 12:00 AM
      $client_timeinfo['eme_client_seconds'] = (int) $phptime_obj->format('s'); // Integer second this minute (0-59)
      $client_timeinfo['eme_client_minutes'] = (int) $phptime_obj->format('i'); // Integer minute this hour (0-59)
      $client_timeinfo['eme_client_hours'] = (int) $phptime_obj->format('h'); // Integer hour this day (0-23)
      $client_timeinfo['eme_client_wday'] = (int) $phptime_obj->format('w'); // Integer day this week (0-6), 0 = Sunday, ... , 6 = Saturday
      $client_timeinfo['eme_client_mday'] = (int) $phptime_obj->format('j'); // Integer day this month 1-31)
      $client_timeinfo['eme_client_month'] = (int) $phptime_obj->format('n'); // Integer month this year (1-12)
      $client_timeinfo['eme_client_fullyear'] = (int) $phptime_obj->format('Y'); // Integer year (1970-9999)
   } else {
      $client_timeinfo = unserialize(stripslashes($_COOKIE['eme_client_time']));

Not to surprisingly based on the name of the function, that function is accessible through WordPress’ AJAX function, in this case whether or not someone is logged in to WordPress:

5
6
add_action( 'wp_ajax_eme_client_clock', 'eme_client_clock_ajax' );
add_action( 'wp_ajax_nopriv_eme_client_clock', 'eme_client_clock_ajax' );

Less than 24 hours after we notified the developer of the issue, they released version 2.0.53, which resolves the vulnerability by replacing use of unserialize() with json_decode() (and replaces related use of serialize() with json_encode()):

128
$client_timeinfo = json_decode(stripslashes($_COOKIE['eme_client_time']),true);

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “eme_client_time” to “O:20:”php_object_injection”:0:{}” and then when visiting the following URL the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=eme_client_clock

Timeline

  • September 14, 2018 – Developer notified.
  • September 15, 2018 – Version 2.0.53 released, which fixes vulnerability.
  • September 15, 2018 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.