Authenticated Information Disclosure Vulnerability in Simple History
One of things we do to keep track of what vulnerabilities are being discovered in WordPress plugins is to monitor the WordPress support forums for threads related to plugin vulnerabilities. In addition to picking up the type of information we are looking for, we see an assortment of threads about security issues. One that we saw recently involved some one requesting that WordPress include the ability to log user activity, a “Support Representative” pointed them to a couple of plugins that do that. In response the original poster mentioned they were concerned about the additional security risk of the plugins:
I’ve been told by our web developer that keeping plugins to a minimum is the smartest route security-wise. Since these are not official WordPress plugins and don’t have very many ratings, would it increase or decrease the security of my websites to install one of them?
What we found interesting about this was that both of the logging plugins that had been mentioned were ones that we had recently found minor security issues with, so the potential of them introducing an additional security risk was not hypothetical. That doesn’t mean that you shouldn’t use logging plugins or other plugins, but it is a reminder that even plugins with a security purpose can introduce security risks.
Those two plugins were not the only logging plugins we have security issues with and we have now found another one that contained a security issue.
One frequent source of security issues being discovered these days is lack of proper restriction on who can access in functions that are made accessible through WordPress’ AJAX functionality. By default those functions are accessible to anyone who is logged in to WordPress, even though the functions are often intended to only accessible to high level users. For many websites where there is only a single Administrator account or small amount of trusted users these vulnerabilities don’t pose a risk, but for plugins that are intended to be used in environments where that isn’t the case it is more of a concern. That brings us to one such plugin, Simple History, which logs user activity.
In looking over that plugin we found that in the then current version, 2.7.4, a number of functions were available to anyone who is logged in. That included the function api(), which returns the data displayed on the plugin’s page, so anyone who is logged in can see everything that is logged. (Update 8/9/2016: While this function is accessible to anyone, there is actually a restriction in place elsewhere in the code that prevents access to it from allow unauthorized access to data through this.). It also included the function ajax_simple_history_filters_search_user(), which along with providing what was logged for a specified user, also displays some of the user’s details, including their email address.
After we notified the developer of the issue, version 2.7.5 was released that fixes the issue by adding a capability check to relevant functions:
// user must have list_users capability (default super admin + administrators have this) if ( ! current_user_can("list_users") ) { wp_send_json_error();; } |
As reminder that you can’t rely on a plugin’s changelog to tell you whether a security issue has been fixed, the changelog entry for 2.7.5 makes no mention of any included security fix:
- User logins using e-mail are now logged correctly. Previously the user would be logged in successfully but the log said that they failed.
- Now only users with
list_userscapability can view the users filter and use the autocomplete api for users. - Add labels to search filters. (I do really hate label-less forms so it’s kinda very strange that this was not in place before.)
- Misc other internal fixes
Proof of Concept
The following proof of concept will display a user’s details, including their email address.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[username]” of the users you want to see the details of.
http://[path to WordPress]/wp-admin/admin-ajax.php?q=[username]&page_limit=10&action=simple_history_filters_search_user
Timeline
- 7/28/2016 – Developer notified.
- 7/30/2016 – Developer responds.
- 8/3/2016 – Version 2.7.5 released, which fixes issue.