Authenticated PHP Object Injection Vulnerability in Slimstat Analytics
We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across an authenticated PHP object injection vulnerability in Slimstat Analytics.
The plugin normally only allows users with the “activate_plugins” capability, which would normally only be Administrators, to access the admin pages of the plugin, but in the settings it is possible to change the capability needed or to whitelist other users to be able to access them. There are two categories of pages that lower level users can be permitted access to reports and settings. Within what is accessible from either of those there has been a PHP object injection vulnerability.
The one available through the settings has been there longer, so let’s take a look at that.
When visiting the “Maintenance” tab of the plugin’s settings the file /admin/config/maintenance.php will be loaded. That file will check for a valid nonce and then can run a specified action:
3 4 5 6 7 8 9 10 11 | if ( !function_exists( 'add_action' ) || ( !empty( $_POST ) && !check_admin_referer( 'maintenance_wp_slimstat', 'maintenance_wp_slimstat_nonce' ) ) ) { exit( 0 ); } require_once( dirname( dirname( __FILE__ ) ) . '/view/wp-slimstat-reports.php' ); wp_slimstat_reports::init(); if ( !empty( $_REQUEST[ 'action' ] ) ) { switch ( $_REQUEST[ 'action' ] ) { |
For the “import-settings” action the value of the POST input “import-slimstat-settings” would be run through the serialize function, which permits PHP object injection to occur:
81 82 | case 'import-settings': $new_settings = @unserialize( stripslashes( $_POST[ 'import-slimstat-settings' ] ) ); |
After we notified the developer of the issue the released version 4.7.1 of the plugin, which fixes the vulnerability by replacing the usage of unserialize() with json_decode() (as well replacing the usage of serialize() elsewhere with json_encode()):
82 | $new_settings = @json_decode( stripslashes( $_POST[ 'import-slimstat-settings' ] ), true ); |
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” to be shown, when logged in as a user that can access the plugin’s settings.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[valid nonce]” with the value from the input “maintenance_wp_slimstat_nonce” on the page /wp-admin/admin.php?page=slimconfig&tab=6.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin.php?page=slimconfig&tab=6" method="POST"> <input type="hidden" name="action" value="import-settings" /> <input type="hidden" name="maintenance_wp_slimstat_nonce" value=" [valid nonce]" /> <input type="hidden" name="import-slimstat-settings" value='O:20:"php_object_injection":0:{}' /> <input type="submit" value="Submit" /> </form> </body> </html>
Timeline
- August 25, 2017 – Developer notified.
- August 25, 2017 – Developer responds.
- August 29, 2017 – Version 4.7.1 released, which fixes vulnerability.