Login

Tag Archives: Cross-Site Request Forgery (CSRF)/PHP Object Injection

14 Nov 2018

Full Disclosure of CSRF/PHP Object Injection Vulnerability in WordPress Theme with 70,000+ Installs

With our service we cover WordPress plugins (as you might guess from our name), but not WordPress themes. There are a number of reasons for that, including the dearth of vulnerabilities being disclosed in themes, which seems to be related to the limited amount of potentially vulnerable code in them despite it being possible for them to contain all the same types of issues as plugins. We got a reminder of that when we did a check over some of the most popular themes available in the WordPress Theme Directory against the checks we do of changes being made to plugins as part of our proactive monitoring to try to catch serious vulnerabilities before they are exploited and a few other checks. The proactive monitoring checks didn’t pull up anything, but one of the other checks brought up the fact that the theme Hueman , which has 70,000+ active installs according to wordpress.org, contains the plugin OptionTree.

Last week disclosed that OptionTree contains an authenticated PHP object injection vulnerability after noticing its usage in another plugin. With the theme Hueman the situation is somewhat worse since it isn’t even using the latest version of OptionTree, which means that it is also still vulnerable to a vulnerability that was discovered by Kacper Szurek and was fixed over two years ago. [Read more]

25 Oct 2018

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin With 50,000+ Active Installs

One of the things we have found while looking at the results of our automated tool for identifying possible security issues in WordPress plugins, the Plugin Security Checker, is that minor possible vulnerabilities that it can identify can be good indications that there are broader issues with security in a plugin. That is the case with the plugin Give, which has 50,000+ active installations according to wordpress.org.

While looking over the 1,000 most popular WordPress plugins using some checks from the Plugin Security Checker we were alerted to a possible issue with this plugin. Unrelated usage of serialization in the code we were looking at then lead us to take a look if there might be any PHP object injection vulnerabilities in the plugin, which unlike the issue originally identified are fairly likely to be exploited. That quickly led to us identifying one that can be exploited by anyone logged in to WordPress or through cross-site request forgery (CSRF). [Read more]

10 Aug 2018

Our Proactive Monitoring Caught an Authenticated PHP Object Injection Vulnerability in a Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated PHP object injection vulnerability we found in a brand new plugin, Woocommerce Aliexpress Dropshipping Lite. This vulnerability could allow an attacker that had access to a WordPress account to exploit a PHP object injection vulnerability. It also could have allowed an attacker that could get a user logged in to WordPress to visit a URL the attacker controls, to exploit the vulnerability as well.

Since the check used to spot this is also included in our Plugin Security Checker (which  is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately). [Read more]

27 Apr 2018

Our Proactive Monitoring Caught a Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in WP Docs

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the cross-site request forgery (CSRF)/PHP object injection vulnerability we found in the plugin WP Docs. This vulnerability could have allowed an attacker that could get a logged in Administrator to visit a URL the attacker controls, to unintentionally exploit a PHP object injection vulnerability.

What lead us to that was the possibility of a file upload vulnerability in the plugin, but before we got to the code for that we noticed the possibility that a PHP object injection would occur first, in a way that we haven’t seen before, so we focused on that. [Read more]

12 Mar 2018

Our Proactive Monitoring Caught a Authenticated PHP Object Injection Vulnerability in bbPress Move Topics

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated PHP object injection vulnerability we found in the plugin bbPress Move Topics. This vulnerability could have allowed an attacker that had access to a WordPress account of contributor level or above to exploit a PHP object injection vulnerability. It also could have allowed an attacker that could get a user logged in as a Contributor-level or above to visit a URL the attacker controls, to exploit the vulnerability as well.

Since the check used to spot this is also included in our Plugin Security Checker (which  is now accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our service as well as separately). [Read more]

6 Oct 2017

Authenticated PHP Object Injection Vulnerability in Event List

Since June we have been doing proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. So far that has lead to identifying existing vulnerabilities, newly introduced vulnerabilities, newly introduced vulnerabilities in brand new plugins, and vulnerabilities being fixed. For the first time it has lead to us identifying a vulnerability in a plugin that has been removed from the Plugin Directory. It appears the plugin has been through at least one review by the Plugin Directory team that doesn’t look to have caught this vulnerability. That in itself it is not major concern, but the fact that there doesn’t appear to be any publicly available info on the review process, which others could review and then provide suggestions for improvements that could be made, is more of an concern.

There clearly is room for improvement with review process as we have found that the reviews have failed to make sure that the vulnerabilities that caused plugins to removed have been fixed even when they may already be being exploited and also that the handling of those reviews has caused some developers to abandon plugins or abandon having their plugin in the Plugin Directory. The later happened with the very popular Contact Form DB plugin and lead to a lot of websites being less secure. [Read more]

25 Sep 2017

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Shoppable Images Lite

Back in June we introduced a new feature to our service where we are trying to proactively catch some serious vulnerabilities in WordPress plugins. The original idea was to catch vulnerabilities as they are newly introduced to the plugin, but when we started working on doing that we realized that it would also catch existing vulnerabilities if they were in code being changed in a plugin. At the end of August, for the first time we caught a serious vulnerability as it was introduced in to a plugin. For the second instance of that occurring, which happened the next week, not only did we catch a vulnerability as it was introduced, but with the first version of the plugin. That should be a good reminder that the review done before a plugin is allowed in to the Plugin Directory does not insure that the plugin is secure at the time it is introduced.

The vulnerability is a cross-site request forgery (CSRF)/PHP object injection vulnerability in the plugin Shoppable Images Lite. [Read more]

8 Sep 2017

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in BackupBuddy

Back in June we introduced a new feature to the service where we are proactively monitor changes made to plugins to try to catch serious vulnerabilities in plugins. To do that we first identify possible vulnerable code running a series of regular expressions over the changes being made to plugins in the Plugin Directory and then we manually check over any results that we haven’t previously reviewed. We recently have been seeing if doing that with the plugins installed in websites that we are doing hack cleanups of would be useful. Through that we found a cross-site request forgery (CSRF)/PHP object injection vulnerability in BackupBuddy, which is exploitable in multisite based WordPress installs.

The plugin features a beta multisite feature, which currently can be turned on by adding a line to the WordPress configuration file: [Read more]

6 Sep 2017

Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerability in Ginger – EU Cookie Law

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a cross-site request forgery (CSRF)/PHP object injection vulnerability in the plugin Ginger – EU Cookie Law.

This vulnerability is a good example of the work that goes in that monitoring. While the first step is automated checking for possible vulnerabilities, we then need to review the code to see if there is in fact vulnerable and small differences can make all the difference in regards to that. In this case before getting to the code potentially vulnerable to PHP object injection there is nonce check, which is intended to prevent cross-site request forgery (CSRF) and depending on who had access to the nonce would also make it so there isn’t a vulnerability. A close look at the code shows that the nonce check is easily bypassed as it only happens if the POST input “submit” is include with a request (in the file /index.php): [Read more]