Home » wordpress » Page 9

Tag: wordpress

Tweet Wheel 0.3 Security Vulnerability

I was looking for a WordPress plugin that would add some Twitter functionality to my website last week. I ran across Tweet Wheel from Nerd Cow (awesome name BTW!)

I personally can’t use a plugin that I haven’t at least done a quick inspection on the code so I took a look and saw a minor AJAX issue. One that wouldn’t even stop me from using the code unfixed in this specific case, because nobody besides me has access to the site.

Props to Thomasz Lisiecki for taking security seriously and getting an updated version out right away, even on such a minor issue. Changelog posted here

tweetwheel-ajax

Fortunately, none of the actions are ‘nopriv’ so you at least require a valid WordPress user account to use the functionality.

tweetwheel-ajaxtweet

Of all of the actions, this was the worst and it is pretty minor. The result would just be spamming Twitter with the same tweets over and over. Without further access you can’t even adjust what the Tweet says.

Timeline

  • 3/1/2015 11:43am Initial disclosure email sent
  • 3/1/2015 11:46am Reply received
  • 3/4/2015 Plugin updated on wordpress.org

IgnitionDeck 1.1.6 Vulnerability

Yesterday I noticed this tweet from IgnitionDeck ignitiontweet

I’d never heard of them before so I decided to take a quick look at their page and see what code was available to look at. They have several paid plugins but also a free plugin on wordpress.org.

I spent a couple minutes looking at the code while I was eating breakfast. Right away I noticed a couple of issues and sent off an email. They were quick to respond and within a few hours had released an update version.

Analysis

One of the first things I search for is AJAX handlers, often developers forget to verify if the user is actually allowed to do the action especially if the page that links to the action is behind an admin interface that requires a login.

Here a simple POST lets an un-authenticated user change the active theme.

ignitiontheme

This one lets an un-authenticated user activate an installed plugin. Right away I thought some directory traversal would be fun, but since the same variable is used for the directory and filename it won’t work.

ignitionextension

Next up I noticed a function that runs during the ‘init’ action that acts on user input.

ignitionaddmedia

If ‘create_project’ or ‘edit_project’ are passed as GET variables or in the HTTP_REFERER then idc_add_upload_cap is called. This would of course require the user to be logged in.

ignitionuploadcap

Look at all those fun capabilities we’ve got now. The capabilities will be removed by the idc_remove_upload_cap() function call if the variables aren’t passed.

 
Please developers, trust but verify!

WP All Import Vulnerability

WP All Import

If you use WP All Import or WP All Import Pro you should upgrade immediately to fix several severe vulnerabilities! Check out the WP All Import Vendor Announcement.


Monday February 23rd 2015 started off as a normal day. I was looking into an issue someone was having using WP All Import to import some data into a custom post type (CPT).

I’d never used WP All Import before, so I downloaded a copy from wordpress.org and set it up (very easy BTW). Unfortunately, I was blocked because you need a free version to import CPT. I decided to open up the source to look and see how it was actually inserting the CPT data, as long as I could see how it was working I could solve the original issue and go on with my day. After a few minutes looking at the code some familiar patterns jumped out at me and I knew I had to investigate further.

As soon as I realized there was something worth reporting I sent an email to support@wpallimport.com requesting a direct contact email for someone. I didn’t want to release information to an address that auto posts to a public tracker, or worse, not read at all.

Later that evening I was contacted directly by Louis Reingold requesting some more information. I provided detailed information about the potential vulnerability and right away he replied saying they would get it fixed asap and alert their customers.

I suspect Max their developer had a late night working on the issues. While I went to bed, I received 2 emails through the night and a bounty via paypal (Thanks!  Other vendors take note!)

After a couple of followup emails I received an updated version of the code (the Pro version too! I’ll have to remember to check back into that original issue) and noticed almost everything was fixed but pointed out a bit more that needed fixed.

Versions Affected

  • WP All Import < 3.2.4
  • WP All Import Pro < 4.1.1

Full Disclosure

After sufficient time has been given for WP All Import users to upgrade I will release more information about these vulnerabilities.

Update: It has been sufficient time, I’ve posted the
WP All Import Vulnerability Breakdown