Login

Tag Archives: Information Disclosure

22 Sep 2017

PHP Object Injection Vulnerability in DS.DownloadList

For the second time through our proactive monitoring of changes in WordPress plugins for serious vulnerabilities we have found a vulnerability not just as it is added to a plugin, but as the plugin was introduced into the Plugin Directory.

There is a manual review done of plugins before they are approved for the Plugin Directory and that appears to be intended to involve some check of the security of the plugins as it is stated that: [Read more]

26 Jun 2017

Information Disclosure Vulnerability in UpiCRM

When it comes to areas where there is lot of room for better security in WordPress plugins, two that come to mind are the security of plugins that handle business related task and the security of personal information stored in plugins. Those came together in a vulnerability we happened to run run across in the plugin UpiCRM while looking into the possibility of a different vulnerability.

The plugin features the ability export lead information (names, email addresses, phone numbers, etc) to a file. When that occurs the file is saved to the directory /wp-content/uploads/upicrm/ with the name leads.csv or leads.xlsx depending on the format requested. Access to files in the directory is not restricted, so anyone can later request the files at that location and will be served them if an export was previously done that generated them. [Read more]

8 Jun 2017

Information Disclosure Vulnerability in Save Contact Form 7

While looking into a recent security fix for a SQL injection vulnerability in version 2.0 of the plugin Save Contact Form 7 we noticed a much larger issue in the relevant code, all the contact form submissions saved by the plugin are publicly accessible.

Normally the submissions saved by the plugin are viewed through the plugin’s admin page which is only accessible to those logged in to WordPress with as a user with the “manage_options” capability, which normally only Administrator level users have. The submissions shown to those users are served through an AJAX request, but the handling of AJAX request is configured to allow those not even logged in to access it (in the file /save-contact-form-7.php): [Read more]

31 Mar 2017

Information Disclosure Vulnerability in Easy Digital Downloads

One of the features of our service is that our customers get to suggest and vote for plugins to get a security review done by us. Last month we did a review of the plugin Easy Digital Downloads and one of the issues we found through that was an information disclosure vulnerability.

The function edd_ajax_get_download_title in the file /includes/ajax-functions.php is accessible via AJAX by those logged in and out, despite stating that it is “used only in WordPress Admin”. The function is intended to return the title of the plugin’s downloads, but as can be seen below it lacks any restriction as to what it will return the tile of: [Read more]

19 Jan 2017

Vulnerability Details: Information Disclosure Vulnerability in W3 Total Cache

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

[Read more]

2 Jan 2017

Information Disclosure Vulnerability in Pike Firewall

In our testing of WordPress security plugins to see what, if any, protection they provide against the exploitation of actual vulnerabilities in other plugins the results haven’t been good so far. Most of the plugins tested haven’t provided any protection against those vulnerabilities. That hasn’t really surprised us, as much of what these plugins do doesn’t have any impact on what hackers actually try to do. One example is that many of these plugins check if you have change the database prefix to something other than the default “wp_”, but knowing the database prefix is rarely needed for vulnerabilities we see being exploited. If knowing the database prefix was a big deal then the vulnerability we recently found in a security plugin would be a big deal, as the vulnerability exposes that.

While doing a few quick security checks over the plugin Pike Firewall we noticed that it has the capability to log login attempts. We and others have found that capability in plugins has introduced security vulnerabilities into plugins due to improper handling of user input that comes through that. One of things that has been an issue with other plugins is that malicious JavaScript code placed in the HTTP header field X-Forwarded-For will get displayed on the plugin’s pages unsanitized or unescaped leading to cross-site scripting (XSS). In this case we found it caused another issue when tried logging in with it set to malicious code we got this error: [Read more]

11 May 2016

Information Disclosure Vulnerability in Yoast SEO

Recently the security company Wordfence released an advisory for the Yoast SEO plugin for what seems to be a rather minor issue. Logged in users could access several functions of Yoast SEO that they were not normally intended to have access to, including exporting the plugin’s settings. While reviewing that to include in to our service’s data we noticed that the related to this there was also a problem with cross-site request forgery (CSRF) protection in the export function of the plugin.

The fact the plugin now restricts the export function to Administrator level users (by restricting it to user who can manage_options) and there was supposed to be CSRF protection for it would indicate the result of that export should not be available to public. Though in normal circumstances it doesn’t look like sensitive data so the publics access to it seems to not to be a major issue at this point, but that could change, so making sure it is not easily accessible to the public seems like a good idea. Currently that isn’t the case. [Read more]

4 Mar 2016

Information Disclosure Vulnerability in WP Ultimate Exporter

There are certain kind of plugins you would hope that anyone developing one would be very careful when doing so, one of those being a plugin that allows you to export non-public data from WordPress. That unfortunately isn’t always case, as the following vulnerability shows (and another vulnerability we will release the details of on a later date).

WP Ultimate Exporter is a plugin that allows you to export posts, pages, and custom posts as CSV files. While reviewing a report of a SQL injection vulnerability in the plugin we noticed that there was another connected issue, the plugin allows anyone to perform an export operation and get the resulting file. That clearly is not the intent as the plugin’s page in the WordPress admin area is only available to users with the Admin role. Unfortunately none of the code run when the actual request for an export is made actually checks to make sure that the request comes from an admin user. [Read more]