So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

But claims of 'complete system compromise' are a little extreme

Bsides Manchester A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking.

A security shortcoming within WordPress's PHP framework can be leveraged by logged-in non-admin users to run arbitrary malicious code and commands on the host servers, infosec consultancy Secarma has warned.

The "unserialization" hole in the platform's code can be exploited using a combination of XML external entity (XXE) attacks and server-side request forgery (SSRF). It also requires a vulnerable plugin to be installed on the site.

To make the attack work, a miscreant would need to log in and upload a booby-trapped file to the target application, then trigger a file operation through a crafted file name (that accesses the file through the phar:// stream wrapper), causing the target application to "unserialize" metadata contained in the file. That metadata can contain malicious commands, which are executed as a result of the deserialization.

Unserialization of attacker-controlled data is a known class of vulnerability that can lead to the execution of malicious code, smuggled in with the data, on the host server. German security researcher Stefan Esser first documented the family of flaws 10 years ago.

WordPress was informed of the issue in February 2017 but has yet to take action, according to Secarma. PDF generation library TCPDF is similarly vulnerable. Content management system Typo3 was vulnerable up until early June – before it released updates to protect users.

Research into the vulnerability was presented by Secarma's Sam Thomas at Thursday's BSides cybersecurity conference in Manchester, UK – days after it was unveiled at Black Hat USA in Las Vegas last week. His presentation (video below) was titled It's A PHP Unserialization Vulnerability Jim, But Not As We Know It. The part between the 30 and 38 minutes concentrates on the WordPress issue.

Youtube Video

A white paper, File Operation Induced Unserialization via the phar:// Stream Wrapper (PDF), describes the issue in more depth.

Thomas told El Reg immediately after his Manchester gig that he had reported the serious PHP-related vulnerability in Wordpress through HackerOne – which runs its bug bounty programme – months ago but despite this the vuln had not been properly resolved. El Reg contacted both WordPress and HackerOne for comment.

We have yet to hear back from WordPress. HackerOne confirmed it worked with WordPress but declined to offer anything much beyond that. "Due to our confidentiality obligations to our customers, HackerOne does not comment on customer bug bounty programs," the outfit told El Reg.

Thomas said the WordPress flaw involves a "subtle vulnerability in thumbnail processing which allows an attacker to reach a 'file_exists' call with control of the start of the parameter."

As things stand, the objective scope of the vulnerability, and how easy it might be to exploit is unclear. Thomas's presentation contained a number of caveats omitted from Secarma's press release about the presentation, which boldly claimed the flaw left "30 per cent of the world's top 1,000 websites vulnerable to hacking and data breaches."

Crucially, an attacker would need a suitable account, be able to upload images or other files, and the site would need a vulnerable plugin installed before malicious commands could be injected, for example. To pull off a complete host system compromise, further vulnerabilities would likely need to be exploited to escalate the intruder's privileges.

After careful analysis and a review of available material, El Reg's security desk has concluded claims of a "massive WordPress vulnerability" are a load of tribble's testicles.

There's an issue here, but the premise that millions of websites are at risk of complete system compromise above and beyond the general widely known risk of running WordPress hasn't been substantiated by Secarma, a security business owned by hosting outfit UKFast.

WordPress hasn't issued a patch, and we have no information about mitigation from the CMS vendor to go on either. During his presentation Thomas said that the "issue is only exposed to authenticated users... they are certainly not supposed to be able to execute [code]."

In the absence of a fix, WordPress users need to be careful about new accounts that are author level and above, Thomas advised. These accounts should be locked down because the now-public hacking technique can be used to elevate privileges to admin. "Ultimately it's an issue within PHP," Thomas said, adding during a Twitter exchange that "the issue works against the default configuration of WordPress and PHP, [as far as I know] it is not dependent on network or system setup."

Chinese researcher Orange Tsai had discovered the same problem, Thomas acknowledged during his Manchester presentation.

WordPress is widely used by bloggers, news outlets and all manner of businesses as a content management system. It's no stranger to security problems of one sort or another, to put it mildly. ®




Biting the hand that feeds IT © 1998–2018