Login

Tag Archives: PHP Object Injection

25 Jul 2017

Vulnerability Details: PHP Object Injection Vulnerability in SiteBuilder Dynamic Components

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new proactive monitoring of changes to WordPress plugins to look for vulnerabilities and that seemed like a good time to document them.

[Read more]

25 Jul 2017

Vulnerability Details: PHP Object Injection Vulnerability in My Geo Posts Free

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new proactive monitoring of changes to WordPress plugins to look for vulnerabilities and that seemed like a good time to document them.

[Read more]

25 Jul 2017

Vulnerability Details: PHP Object Injection Vulnerability in Gravitate QA Tracker

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new proactive monitoring of changes to WordPress plugins to look for vulnerabilities and that seemed like a good time to document them.

[Read more]

24 Jul 2017

Vulnerability Details: PHP Object Injection Vulnerability in NextGEN Gallery geo

A month ago we discussed the web hosting company Pagely’s discovery of a number of PHP objection injection vulnerabilities in WordPress plugins. For some reason the unfixed ones have remained in the WordPress Plugin Directory despite being reported to the people running it. We recently took a closer look at those vulnerabilities while improving our detection of this kind of vulnerability for our new proactive monitoring of changes to WordPress plugins to look for vulnerabilities and that seemed like a good time to document them as well.

[Read more]

24 Jul 2017

WordPress Plugin for Use in Testing for PHP Object Injection

Last month we introduced something new to our service, we are proactively monitoring changes to the WordPress plugins to see if they include some easy to spot vulnerabilities in them. We currently are restricting that to the most serious vulnerabilities due to amount of time it requires to do even that (if we had more customers we could justify expanding that further). One of the types of vulnerabilities we are monitoring for are PHP object injection vulnerabilities, as that is something that we have seen hackers exploiting on a fairly wide scale in the past. That has lead to us having to review more possible instances of that type of vulnerability and that in turn lead to us coming up with a simpler method to test if there is in fact an exploitable vulnerability. Seeing as this type of vulnerability looks to be under-noticed and our solution is so simple, we decide to share it.

The first part is a plugin, which can be downloaded here and then installed in the root plugin directory, /wp-content/plugins/. [Read more]

9 Jan 2017

Vulnerability Details: PHP Object Injection Vulnerability in Post Grid

Back in November we were contacted about a PHP object injection vulnerability in the plugin Post Grid that the person who contacted us had seen exploited. We didn’t include it in our data at the time since they said they were waiting on the “developer to respond etc.” before disclosing it. While looking in to that vulnerability we discovered a file deletion vulnerability in the plugin, which impacted all the version that also had the PHP object injection vulnerability, so anyone using our service or the free data that comes with its companion plugin would have been notified that they were using a vulnerable plugin at the time.

Recently the issue of the vulnerability came up again and we noticed that it still hadn’t been disclosed. Seeing as it has now been two months since it was fixed we will go ahead with the disclosure. [Read more]

15 Dec 2016

PHP Object Injection Vulnerability in Backup & Restore Dropbox

Last Friday we had a pair of requests on one of our websites for a file from the plugin Backup & Restore Dropbox, /wp-content/plugins/dropbox-backup/template/css/tool-bar.css. Seeing as we never have had that plugin installed, that request would be likely a hacker probing for usage of the plugin. We quickly found an issue with the plugin’s handling of functions made available through WordPress’ AJAX functionality and notified the developer of the plugin of that issue and that that it looked like hackers were targeting the plugin.

We haven’t heard back from them, but in the meantime we had what look to be probing for usage of one of their other plugins, Stats Counter. In looking over that we quickly found a PHP object injection vulnerability and realized that the same issue was probably what hacker was targeting in this plugin. The vulnerability in this plugin involves substantially similar code, but lets go through it anyway. [Read more]

15 Dec 2016

PHP Object Injection Vulnerability in Stats Counter

Today on one of our websites we had a request for a file from the plugin Stats Counter, /wp-content/plugins/stats-counter/template/css/counter_style.css. Seeing as we have never had that plugin installed, that type of request would usually be an indication that a hacker is probing for usage of the plugin. When we went to start investigating what might be the vulnerability that a hacker would be interested in targeting in that we first noticed that the plugin had been removed from the Plugin Directory. That could be an indication that someone reported a vulnerability in the current version of the plugin to the Plugin Directory or it could have been removed for some other reason, unfortunately the Plugin Directory doesn’t explain why something has been removed. The second thing we noticed was that the plugin was from the developer of the Backup & Restore Dropbox plugin, which we noticed apparent hacker probing for on Friday and we had notified them of one security issue shortly afterwords (we have yet to hear back from them and the vulnerability has not been fixed).

We then started looking over the Stats Counter plugin and found a vulnerability hackers might be interested in targeting, something that also exist Backup & Restore Dropbox plugin, but that we had not properly identified as being the likely vulnerability being targeted in that plugin up until now. [Read more]

15 Nov 2016

Vulnerability Details: PHP Object Injection Vulnerability in Google Analytics Counter Tracker

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

Something we are going to be discussing in an upcoming post is the issue of WordPress plugins that have been removed from the Plugin Directory not being returned to it in a timely manner once a fix for the vulnerability has submitted. During the delay  websites using the plugins remain vulnerable to the vulnerability as there is a new version available to update to, so improving the process of reviewing those changes and getting the plugin could improve security. In the meantime we have run into an instance where it looks like hackers might be trying to exploit a vulnerability that has been at least partially fixed, but the plugin remains out of the Plugin Directory. [Read more]