Ultimate Member Plugin 1.0.78 Critical Security Vulnerability

by James Golovich

While sitting  and waiting for my daughter at gymnastics several weeks ago I noticed an announcement for Ultimate Member plugin, sounded interesting so I bookmarked it to check out later.

Fast forward till last week when I noticed it sitting there and decided to take a look at it. I noticed a couple security issues and contacted the developers.

There were a few minor issues that they fixed, but the major ones are critical. If you are using this plugin, Update Immediately!

Delete any file

We’ve got an un-authenticated AJAX action to delete files here.

ultikmate-delete

We definitely need some authorization on the user and/or the specific file to be deleted there when the AJAX call comes in.

ultimate-delete2

Well at least delete_file() is calling um_is_temp_upload() to make sure the file is a temporary file.

ultimate-delete3

Uh-oh. It’s only pulling ‘/ultimatemember/temp/’ off the beginning. So it will happily take ‘../’ in the path and you can use it to delete any file that the user running php has permissions for.

Upload arbitrary files

Multiple issues all come together to make this especially evil.

ultimate-fileexecFirst off, the um-file-upload.php can be called directly and it bootstraps WordPress. I’d rather send every request through WordPress and not allow direct access to anything.

ultimate-fileexec1

Then we call check_file_upload() and only move the file if it doesn’t return an error.

ultimate-fileexec2

Cool, check_file_upload() at least checks for allowed extensions from an array. So if I try to upload something ending in .php it sets ‘$error = $data[‘extension_error’]; Here’s the rub, since user input is passed into check_file_upload(), get_field($field) call will return null if $field is some invalid field. So the end result is check_file_upload() is going to return null;

ultimate-fileexec3

Now we’ve got a file uploaded and it even kicks back the full path that you need to call the file. Assuming the host will allow code execution from the uploads directory, you can now run code as the user running php.

Timeline

Custom Field Suite 2.4 Security Vulnerability

by James Golovich

Recently I was looking at the Custom Field Suite plugin. I’d never used it before and as always before using it I had to quickly go through the code to find an obvious security issues.

cfs-ajax1

The frequent offender AJAX jumped out at me. Luckily this is not the ‘nopriv’ type, so an attacker would have to have an account on the WordPress site, but any basic account will work.

cfs-ajax2

  • Import custom fields
  • Export custom fields
  • Search for posts by title (via includes/fields/ajax.php:search_posts() )

The only AJAX function that was secured was ‘reset’ which would remove everything CFS related from the database and deactivate the plugin.

With all the awesome stuff that CFS can do, I’m sure an attacker could find something fun to do once they can export your setup and re-import it.

Matt was quick to respond and get a new version out there. Here is the Changelog. I recommend everyone update immediately.

Timeline

  • 3/3/2015 12:45pm Initial disclosure email
  • 3/3/2015 12:59pm Response and issue fixed in github.com
  • 3/4/2015 Updated version (2.4.1) released on wordpress.org

Tweet Wheel 0.3 Security Vulnerability

by James Golovich

I was looking for a WordPress plugin that would add some Twitter functionality to my website last week. I ran across Tweet Wheel from Nerd Cow (awesome name BTW!)

I personally can’t use a plugin that I haven’t at least done a quick inspection on the code so I took a look and saw a minor AJAX issue. One that wouldn’t even stop me from using the code unfixed in this specific case, because nobody besides me has access to the site.

Props to Thomasz Lisiecki for taking security seriously and getting an updated version out right away, even on such a minor issue. Changelog posted here

tweetwheel-ajax

Fortunately, none of the actions are ‘nopriv’ so you at least require a valid WordPress user account to use the functionality.

tweetwheel-ajaxtweet

Of all of the actions, this was the worst and it is pretty minor. The result would just be spamming Twitter with the same tweets over and over. Without further access you can’t even adjust what the Tweet says.

Timeline

  • 3/1/2015 11:43am Initial disclosure email sent
  • 3/1/2015 11:46am Reply received
  • 3/4/2015 Plugin updated on wordpress.org