So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks
Besides Manchester, A newly located WordPress flaw has left installs of the ever-present content material management gadget doubtlessly susceptible to hacking. Security shortcomings let attackers take advantage of weaknesses within WordPress’s PHP framework, allowing already registered users without admin privileges to make the most code, infosec consultancy Secarma has warned.
The hole gives a formerly undiscovered manner to show “unserialization” in the platform’s code the usage of a mixture of XML outside entity (XXE) assaults and server-side request forgery (SSRF). To make the attack paintings, a miscreant would need to upload a booby-trapped report onto the target application, then trigger a record operation thru a crafted report call (that accesses the report thru the phar:// move wrapper), inflicting the goal utility to “unserialize” metadata contained within the file.
The flaw by using itself could not allow an attacker to break into a targeted device and handiest expands the scope for mischief once a toehold on centered structures is obtained via some other method. Unserialization of attacker-managed data is a recognized elegance of vulnerability that is vulnerable to lead in the execution of malicious code. German safety researcher Stefan Esser first documented the class of flaw 10 years in the past.
Sarma’s research demonstrates a new method that lets an attacker transition from a type of vulnerability now not formerly considered that awful to 1 that may have an intense impact.
WordPress became informed of the difficulty in February 2017, however, has but to take action, consistent with Secarma. PDF technology library TCPDF is similarly susceptible. Content-control device Typo3 changed into prone up till early June – before it launched updates to protect customers.
Research into the vulnerability turned into offered via Secarma’s Sam Thomas at Thursday’s BSides cybersecurity conference in Manchester, UK – days after it changed into first unveiled at Black Hat in Las Vegas last week. His presentation (video beneath) turned into entitled It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It. The element among the 30 and 38 mins concentrates on the WordPress trouble.
A white paper, File Operation Induced Unserialization thru the phar:// Stream Wrapper (PDF), explains the issue in more depth. Thomas told El Reg right away after his Manchester gig that he had said the extreme PHP-related vulnerability in WordPress thru HackerOne – which runs its trojan horse bounty program – months in the past. Still, notwithstanding this, the vuln had now not been properly resolved. El Reg contacted each WordPress and HackerOne for comment.
We haven’t begun to listen lower back from WordPress. HackerOne confirmed it labored with WordPress, however, declined to provide anything an awful lot past that. “Due to our confidentiality obligations to our clients, HackerOne does now not touch upon patron malicious program bounty packages,” the outfit instructed El Reg.
Thomas said the WordPress flaw entails a “diffused vulnerability in thumbnail processing which permits an attacker to reach a ‘file_exists’ name with manage of the begin of the parameter”.
As things stand, the objective scope of the vulnerability and the way smooth it might be to exploit is unclear. Thomas’s presentation contained a number of caveats overlooked from Secarma’s press launch approximately the presentation, which boldly claimed the flaw left “30 in step with a cent of the area’s top 1,000 websites at risk of hacking and data breaches”.
After cautious evaluation and an evaluation of available material, El Reg’s protection table has concluded claims of a “large WordPress vulnerability” are a load of tribble’s testicles. There’s an issue right here; however, the premise that hundreds of thousands of websites are at risk of “entire system compromise” above and beyond the overall widely known risk of running WordPress hasn’t been substantiated with the aid of Secarma, a security commercial enterprise owned through hosting outfit UKFast.
WordPress hasn’t issued a patch and we have no records approximately mitigation from the CMS dealer to go on both. During his presentation, Thomas said that the “issue is most effective uncovered to authenticated users… They’re simply now not mean if you want to execute [code]”.
In the absence of a restore, WordPress users want to be careful approximately new debts that are creator degree and above, Thomas cautioned. This money owed must be locked down because the now-public hacking approach may be used to raise privileges to admin. “Ultimately it’s a problem inside PHP,” Thomas stated, including at some point of a Twitter exchange that “the problem works towards the default configuration of WordPress and PHP, [as far as I know] it isn’t dependent on community or gadget setup”.
Chinese researcher Orange Tsai had located the identical problem, Thomas mentioned at some point in his Manchester presentation. WordPress is widely used by bloggers, information shops, and organizations as a content material control machine. It’s no stranger to safety troubles of one type or some other, to put it mildly. ®