there is usage of unserialize function public function block_plugin_updates( $request, $url ) {
if ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already
return $request;
$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/
without disallowing unneeded classes.
thus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:
1. conduct PHP POP exploitation, more information:
1. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)
2. if 1 isn't possible, use safe unserialize invocation, such as:
if (version_compare(PHP_VERSION, '7.0', 'lt')) {
return safeUnserialize($data);
} else {
return safeUnserialize($data, false);
}
Implement safeUnserialize function that based on PMA_safeUnserialize:
https://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080
but with fix for the issue described in:
https://hackerone.com/reports/181315#activity-1322058
{"title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "published": "2016-11-28T01:16:24", "references": [], "h1reporter": {"hackerone_triager": false, "username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "type": "hackerone", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "cvelist": [], "viewCount": 1, "hash": "4820f846b3751ad48c66d0316a28dc684c1618c0219c2952d5db556da9fb4ecd", "id": "H1:185907", "modified": "2016-12-29T15:26:40", "history": [{"edition": 2, "lastseen": "2017-08-28T23:19:23", "bulletin": {"id": "H1:185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "bounty": 25.0, "references": [], "enchantments": {}, "cvelist": [], "viewCount": 1, "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "hash": "6d3c2f52e88d7087f64d8409e6fb40f8ae7a86af0f2a219b012e566f0825ec77", "type": "hackerone", "modified": "1970-01-01T00:00:00", "history": [], "published": "2016-11-28T01:16:24", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "4abb836f1bad451e87babb4d450dac0e", "key": "h1team"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b254f4b2b28e3b4c64105f6ea31c566", "key": "h1reporter"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "objectVersion": "1.3", "edition": 2, "bountyState": "resolved", "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "href": "https://hackerone.com/reports/185907", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-08-28T23:19:23"}, "differentElements": ["modified"]}, {"edition": 3, "lastseen": "2017-08-29T13:11:22", "bulletin": {"id": "H1:185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "bounty": 25.0, "references": [], "enchantments": {}, "cvelist": [], "viewCount": 1, "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "hash": "87c3bb72801c324e85df0202ad9bef7c9c6fba64f69d35ba23781aaa04cee66d", "type": "hackerone", "modified": "2016-12-29T15:26:40", "history": [], "published": "2016-11-28T01:16:24", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "4abb836f1bad451e87babb4d450dac0e", "key": "h1team"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b254f4b2b28e3b4c64105f6ea31c566", "key": "h1reporter"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbba13c2a70216a704ac99bb8c3db015", "key": "modified"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "objectVersion": "1.3", "edition": 3, "bountyState": "resolved", "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "href": "https://hackerone.com/reports/185907", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-08-29T13:11:22"}, "differentElements": ["h1team"]}, {"edition": 5, "lastseen": "2018-02-07T16:57:56", "bulletin": {"id": "H1:185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "bounty": 25.0, "references": [], "enchantments": {"score": {"modified": "2018-02-07T16:57:56", "value": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/"}}, "cvelist": [], "viewCount": 1, "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "hash": "99cbf367e7903647842c50386b420a5307bceed1dab2d37f9e39d8fafa5bb97f", "type": "hackerone", "modified": "2016-12-29T15:26:40", "history": [], "published": "2016-11-28T01:16:24", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "1fa035cc31edbbe2074d03059beadf05", "key": "h1reporter"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "97217abd859ee25f37b62a7388a95f1b", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbba13c2a70216a704ac99bb8c3db015", "key": "modified"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "objectVersion": "1.3", "edition": 5, "bountyState": "resolved", "h1reporter": {"hackerone_triager": false, "username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "href": "https://hackerone.com/reports/185907", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2018-02-07T16:57:56"}, "differentElements": ["h1team"]}, {"edition": 1, "lastseen": "2017-08-22T11:09:40", "bulletin": {"id": "H1:185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "bounty": 25.0, "references": [], "enchantments": {}, "cvelist": [], "viewCount": 1, "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "hash": "f06ba67a18b053fd5581acbd70a99be4b397285b1d4c528d3433f6fcf3ace43f", "type": "hackerone", "modified": "1970-01-01T00:00:00", "history": [], "published": "2016-11-28T01:16:24", "hashmap": [{"hash": "6005c1c432680f6997d2d053a7b59402", "key": "h1reporter"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "4abb836f1bad451e87babb4d450dac0e", "key": "h1team"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "objectVersion": "1.3", "edition": 1, "bountyState": "resolved", "h1reporter": {"disabled": false, "username": "e3amn2l", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l", "hacker_mediation": false}, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "href": "https://hackerone.com/reports/185907", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-08-22T11:09:40"}, "differentElements": ["h1reporter"]}, {"edition": 4, "lastseen": "2017-10-16T07:58:06", "bulletin": {"id": "H1:185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "bounty": 25.0, "references": [], "enchantments": {"score": {"modified": "2017-10-16T07:58:06", "value": 9.4}}, "cvelist": [], "viewCount": 1, "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "hash": "064c449784194504af94484ad677796bcc8ca6f1f507fb114486d33889a1e947", "type": "hackerone", "modified": "2016-12-29T15:26:40", "history": [], "published": "2016-11-28T01:16:24", "hashmap": [{"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "97217abd859ee25f37b62a7388a95f1b", "key": "h1team"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b254f4b2b28e3b4c64105f6ea31c566", "key": "h1reporter"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbba13c2a70216a704ac99bb8c3db015", "key": "modified"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}], "objectVersion": "1.3", "edition": 4, "bountyState": "resolved", "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "href": "https://hackerone.com/reports/185907", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-10-16T07:58:06"}, "differentElements": ["h1reporter"]}], "href": "https://hackerone.com/reports/185907", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "hashmap": [{"hash": "483caca5435deb51f412fc8d3932f4a3", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5d3b4a0007fff60de27b1bb0dbad42b5", "key": "description"}, {"hash": "1fa035cc31edbbe2074d03059beadf05", "key": "h1reporter"}, {"hash": "5731d7442dfe1c0064e91eec35a2859f", "key": "h1team"}, {"hash": "6025216986e2117ca92bd78e270dd049", "key": "href"}, {"hash": "bbba13c2a70216a704ac99bb8c3db015", "key": "modified"}, {"hash": "846978bb703714dd2601e4a465ed83d7", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "010a4b624318c720c2c2060ccb8140d6", "key": "reporter"}, {"hash": "246330f8fbdb369c30763897705655c8", "key": "title"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}], "objectVersion": "1.3", "edition": 6, "bountyState": "resolved", "bounty": 25.0, "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "bulletinFamily": "bugbounty", "reporter": "e3amn2l", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2018-04-19T17:34:09"}
