Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

But claims of 'complete system compromise' are a little extreme

Bsides Manchester A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking.

A security shortcoming within WordPress's PHP framework can be leveraged by logged-in non-admin users to run arbitrary malicious code and commands on the host servers, infosec consultancy Secarma has warned.

The "unserialization" hole in the platform's code can be exploited using a combination of XML external entity (XXE) attacks and server-side request forgery (SSRF). It also requires a vulnerable plugin to be installed on the site.

To make the attack work, a miscreant would need to log in and upload a booby-trapped file to the target application, then trigger a file operation through a crafted file name (that accesses the file through the phar:// stream wrapper), causing the target application to "unserialize" metadata contained in the file. That metadata can contain malicious commands, which are executed as a result of the deserialization.

Unserialization of attacker-controlled data is a known class of vulnerability that can lead to the execution of malicious code, smuggled in with the data, on the host server. German security researcher Stefan Esser first documented the family of flaws 10 years ago.

WordPress was informed of the issue in February 2017 but has yet to take action, according to Secarma. PDF generation library TCPDF is similarly vulnerable. Content management system Typo3 was vulnerable up until early June – before it released updates to protect users.

Research into the vulnerability was presented by Secarma's Sam Thomas at Thursday's BSides cybersecurity conference in Manchester, UK – days after it was unveiled at Black Hat USA in Las Vegas last week. His presentation (video below) was titled It's A PHP Unserialization Vulnerability Jim, But Not As We Know It. The part between the 30 and 38 minutes concentrates on the WordPress issue.

Youtube Video

A white paper, File Operation Induced Unserialization via the phar:// Stream Wrapper (PDF), describes the issue in more depth.

Thomas told El Reg immediately after his Manchester gig that he had reported the serious PHP-related vulnerability in Wordpress through HackerOne – which runs its bug bounty programme – months ago but despite this the vuln had not been properly resolved. El Reg contacted both WordPress and HackerOne for comment.

We have yet to hear back from WordPress. HackerOne confirmed it worked with WordPress but declined to offer anything much beyond that. "Due to our confidentiality obligations to our customers, HackerOne does not comment on customer bug bounty programs," the outfit told El Reg.

Thomas said the WordPress flaw involves a "subtle vulnerability in thumbnail processing which allows an attacker to reach a 'file_exists' call with control of the start of the parameter."

As things stand, the objective scope of the vulnerability, and how easy it might be to exploit is unclear. Thomas's presentation contained a number of caveats omitted from Secarma's press release about the presentation, which boldly claimed the flaw left "30 per cent of the world's top 1,000 websites vulnerable to hacking and data breaches."

Crucially, an attacker would need a suitable account, be able to upload images or other files, and the site would need a vulnerable plugin installed before malicious commands could be injected, for example. To pull off a complete host system compromise, further vulnerabilities would likely need to be exploited to escalate the intruder's privileges.

After careful analysis and a review of available material, El Reg's security desk has concluded claims of a "massive WordPress vulnerability" are a load of tribble's testicles.

There's an issue here, but the premise that millions of websites are at risk of complete system compromise above and beyond the general widely known risk of running WordPress hasn't been substantiated by Secarma, a security business owned by hosting outfit UKFast.

WordPress hasn't issued a patch, and we have no information about mitigation from the CMS vendor to go on either. During his presentation Thomas said that the "issue is only exposed to authenticated users... they are certainly not supposed to be able to execute [code]."

In the absence of a fix, WordPress users need to be careful about new accounts that are author level and above, Thomas advised. These accounts should be locked down because the now-public hacking technique can be used to elevate privileges to admin. "Ultimately it's an issue within PHP," Thomas said, adding during a Twitter exchange that "the issue works against the default configuration of WordPress and PHP, [as far as I know] it is not dependent on network or system setup."

Chinese researcher Orange Tsai had discovered the same problem, Thomas acknowledged during his Manchester presentation.

WordPress is widely used by bloggers, news outlets and all manner of businesses as a content management system. It's no stranger to security problems of one sort or another, to put it mildly. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like