PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)
In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.
The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows:
1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 | public function version_info($enforce_cache = false) { if (!$enforce_cache && false !== ($result = $this->get_transient('yarpp_version_info'))) return $result; $version = YARPP_VERSION; $remote = wp_remote_post("http://yarpp.org/checkversion.php?format=php&version={$version}"); if (is_wp_error($remote) || wp_remote_retrieve_response_code($remote) != 200 || !isset($remote['body'])){ $this->set_transient('yarpp_version_info', null, 60*60); return false; } if ($result = @unserialize($remote['body'])) $this->set_transient('yarpp_version_info', $result, 60*60*24); |
That takes the page returned for the address http://yarpp.org/checkversion.php?format=php&version={$version} and runs it through unserialize(), which permits PHP object injection. Interestingly the comment right above the code indicates (accurately) that the code was previously handled in a different way, which avoided this vulnerability and then was switched to the insecure method now used.
That function would run when visiting the plugin’s settings page.
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, change the plugin’s code so that instead of requesting “http://yarpp.org/checkversion.php?format=php&version={$version}” it requests a page with ‘O:20:”php_object_injection”:0:{}’ as it contents and then when visiting the settings page for the plugin a message “PHP object injection has occurred.” will be shown.