14 Feb 2018

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Returning to a Fairly Popular Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability in a fairly popular plugin, of a type that hackers are likely to exploit if they know about it. In this case the vulnerability is much worse because it was previously fixed, so some hacker could still be trying to exploit it based on the previous instance of it. Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately).

Back in September we noticed that PHP object injection vulnerability had been fixed the plugin Welcart e-Commerce, which has 10,000+ active installations according to wordpress.org (who had discovered vulnerability that wasn’t disclosed). That had been fixed by replacing the usage of unserialze() with json_decode() in version 1.9.4. The relevant line had previously looked like this (in the file /classes/usceshop.class.php):

$values = isset($_COOKIE[$key]) ? unserialize(stripslashes($_COOKIE[$key])) : NULL;

And was replaced with this:

$values = isset($_COOKIE[$key]) ? json_decode(stripslashes($_COOKIE[$key]), true) : NULL;

Then in version 1.9.5 it got changed to:

$values = isset($_COOKIE[$key]) ? usces_unserialize(stripslashes($_COOKIE[$key])) : NULL;

That function usces_unserialize() used there is as follows:

2498
2499
2500
2501
2502
2503
2504
2505
2506
function usces_unserialize( $data ) {
	if( is_serialized( $data ) ) {
		return @unserialize( $data );
	}
	if( is_array( $data ) ) {
		return $data;
	}
	return @json_decode( $data, true );
}

With that, if the value passed to the function is serialized then the value is unserialized. Since PHP object injection involves untrusted serialized data being unserialized, that code allows for PHP object injection again. This can easily be exploited because that code runs when visiting any frontend page of the website.

Since the vulnerability could be already be being exploited due to the previous instance of it, we are disclosing this without giving the developer a chance to fix it first, since we have a responsibility to warn our customers as soon as possible (and we don’t want to leave others without the ability to know about this and we don’t want to allow hackers to use our service to become aware of otherwise undisclosed vulnerabilities).

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “usces_cookie” to “O:20:”php_object_injection”:0:{}” and then when you visit any front end page the message “PHP object injection has occurred.” will be shown.

Timeline

  • February 14, 2018 – Developer notified.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.