WP All Import 3.2.3 (Pro 4.0.3) Vulnerability Breakdown

The continuing saga of the WP All Import Vulnerability

I wanted to give enough time for everyone to update before releasing more information about this vulnerability. According to the newly updated WordPress plugin repository, the WP All Import free version has 20,000+ active installs. The code is out there so anyone would be able to figure out what the big deal is.  I won’t distribute my exploit code, so please stop asking!

I will be referencing version 3.2.3 of the free plugin in this post, if you are looking at the paid version the line numbers and filenames might be different.

There were two distinct vulnerabilities for getting access to the plugin and they have been exploited time and time again so I won’t spend time covering them.

First off are ajax requests that don’t verify the user has permissions, in this case they are not the ‘ajax_nopriv’ type so you at least need to have an account on the system to use them, but even the lowest account would work.

The second type is assuming that the ‘admin_init’ action only happens for admins. Which isn’t the case, it is called for any action that starts up the admin interface. Which could be the user profile editor or the AJAX interface.
admininit1

“If this isn’t Nice, What Is?”

So now that we’re behind enemy lines without permission, what can we do?

  • Retrieve any file on the system that ends in .txt
  • Retrieve any file on the system that ends in .html
  • Retrieve any value from the postmeta table
  • Upload arbitrary files to system

Once I have the keys to the kingdom I stop looking for unlocked windows.  There were likely other things you could do, but once you’ve got full access to the system who cares?

“Trust thyself only, and another shall not betray thee”

admininit2
The helpful function $input->getpost(‘page’, ”)) here takes the ‘page’ variable from a HTTP POST and sticks it in $page. If page starts with ‘pmxi_’ then we keep on rolling and set $action to HTTP POST ‘action’.

admininit3Now we’re cooking.  We can arbitrarily call any class that is an instanceof PMXI_Controller_Admin and starts with ‘pmxi_’ (there are 8 of them).

Find your favorite function and work with it, I’m sure you will find something fun.  When you find one that lets you transfer a file into uploads you’re starting to see the light at the end of the tunnel.

Of course, someone was trying to keep people from guessing the location (or maybe just trying to keep from overwriting previous uploads). So there is a function to return a ‘secure’ directory/file.

securefileLooks good, right? Just last week Securi wrote an advisory about another plugin that used md5( time() ) to generate a ‘secret’ key. In this case the naming happens at time of upload and the HTTP Protocol happily returns a timestamp, so you have a pretty small window to search for the ‘secret’ directory.

“You keep using that word. I do not think it means what you think it means.”

So we’ve now managed to upload a file to a ‘secret’ directory. In my experience most systems will happily execute php code from the ‘wp-content/uploads’ directory, so now we can run whatever code we want. My example just ran phpinfo() and exited, but I don’t think the next guy will be quite as nice.

Lessons Learned

  • “Always… no, no… never… forget to check your references.”
  • Set your uploads directory to not execute php, cgi, or any other handlers
  • Disable indexes on uploads directory (not an issue here because it creates an index.php, but to be continued in another post)
  • Keep your plugins updated!
  • If you are a plugin developer, think like an attacker!

I tested the updates to WP All Import and WP All Import Pro and could no longer have fun inside the code base.  A few simple lines of code fixed these major vulnerabilities.

Update

WP All Import Vulnerability

WP All Import

If you use WP All Import or WP All Import Pro you should upgrade immediately to fix several severe vulnerabilities! Check out the WP All Import Vendor Announcement.


Monday February 23rd 2015 started off as a normal day. I was looking into an issue someone was having using WP All Import to import some data into a custom post type (CPT).

I’d never used WP All Import before, so I downloaded a copy from wordpress.org and set it up (very easy BTW). Unfortunately, I was blocked because you need a free version to import CPT. I decided to open up the source to look and see how it was actually inserting the CPT data, as long as I could see how it was working I could solve the original issue and go on with my day. After a few minutes looking at the code some familiar patterns jumped out at me and I knew I had to investigate further.

As soon as I realized there was something worth reporting I sent an email to support@wpallimport.com requesting a direct contact email for someone. I didn’t want to release information to an address that auto posts to a public tracker, or worse, not read at all.

Later that evening I was contacted directly by Louis Reingold requesting some more information. I provided detailed information about the potential vulnerability and right away he replied saying they would get it fixed asap and alert their customers.

I suspect Max their developer had a late night working on the issues. While I went to bed, I received 2 emails through the night and a bounty via paypal (Thanks!  Other vendors take note!)

After a couple of followup emails I received an updated version of the code (the Pro version too! I’ll have to remember to check back into that original issue) and noticed almost everything was fixed but pointed out a bit more that needed fixed.

Versions Affected

  • WP All Import < 3.2.4
  • WP All Import Pro < 4.1.1

Full Disclosure

After sufficient time has been given for WP All Import users to upgrade I will release more information about these vulnerabilities.

Update: It has been sufficient time, I’ve posted the
WP All Import Vulnerability Breakdown

Easy Digital Downloads 2.1 Vulnerabilities

Easy Digital Downloads

On 12/5/2014 I contacted Pippin Williamson at Easy Digital Downloads to notify of some discovered security issues.  He was very thankful and quick to resolve these issues and on 12/9/2014 version 2.2 was released.

Unfortunately there was not any explicit notification in the release notes of any security vulnerability, but they were visible in the github commit messages.  It is recommended you upgrade right away, especially if you are selling products and like to get paid!

There were two classes of vulnerabilities discovered. The first was the typical not verifying the user has proper permission/nonce of an AJAX request. The second, which is apparently not a bug but an intentional feature, allows any action/filter that starts with ‘edd_’ to be called.

Some of the capabilities these vulnerabilities allow:

  • Logged in users (not just admin) can update prices on arbitrary items
  • Anyone can display a list of all banned emails
  • Anyone can change tax rates
  • Anyone can mark arbitrary orders as paid without actually paying

If you are a plugin developer that extends the Easy Digital Downloads plugin, make sure that any actions/filters you add that begin with ‘edd_’ are properly checking permissions.