Nearly 10 Year Old Vulnerability Fixed in WordPress Security Plugin All-In-One Security (AIOS)
The changelog for the latest version of the 1+ million install WordPress security plugin All-In-One Security (AIOS) is:
SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.
That comes on the heels of an update released earlier the same day that mentioned another security fix. (That one might not be as serious as the changelog makes it sound.)
As at least one of our customers is using the plugin, we went to check on that to see if there was a vulnerability and if it had been fully fixed. In a past instance, we had found that a security fix in the plugin was not complete.
What we found was in line with the changelog. The “404 detection” feature lacked protection against cross-site request forgery (CSRF) when making requests to “Temp block” or “Blacklist IP”. That means that an attacker could possibly cause a logged in Administrator to block IP addresses without intending it. Not a serious issue, but it something that wasn’t all that hidden but went unspotted for nearly 10 years, as it was introduced in March 2014.
The developer addressed this by adding a couple of nonce checks. Here is one of them:
443 444 445 446 447 448 | $nonce_user_cap_result = AIOWPSecurity_Utility_Permissions::check_nonce_and_user_cap($_GET['aiowps_nonce'], '404_log_item_action'); if (is_wp_error($nonce_user_cap_result)) { $aio_wp_security->debug_logger->log_debug($nonce_user_cap_result->get_error_message(), 4); die($nonce_user_cap_result->get_error_message()); } |
We looked for any other code in the plugin similar to the underlying code that was vulnerable to see if there were any remaining CSRF issues and didn’t find anything.
We did find where the code still isn’t properly handling security related to that. In the file /admin/wp-security-brute-force-menu.php, you have this code that is using the strip_tags() function when bringing in user input that should only be an integer:
463 | $event_list_404->delete_404_event_records(strip_tags($_GET['id'])); |
Using intval() or another option to restrict the value to an integer would be more secure.
We have reached out to the developer about that and some other issues we noticed.
Plugin Still in Need of Security Review
The plugin and another 1+ million install plugin from the same developer have had repeated issues with vulnerabilities. Sometimes rather serious, but they don’t seem to have gotten someone to do a thorough security review of the plugins done. Certainly the vulnerability here should have been caught during a security review. Or at least it would have in the reviews we do. We noted to them we offer reviews to them multiple times when letting them know about problems with fixes, so it isn’t as if they are not aware that security reviews of plugins are something that can be done.
We have advised against using plugins from the developer since July because of continued problems in handling security. Nothing we saw while reviewing this fix has made us think that is less true now.
Proof of Concept
The following proof of concept will black list the specified IP address, when logged in to WordPress as an Administrator.
Replace “[path to WordPress]” with the location of WordPress and [IP address] with the IP address to be blocked.
http://[path to WordPress]/wp-admin/admin.php?page=aiowpsec_brute_force&tab=404-detection&action=blacklist_ip&ip_address=[IP address]