there is usage of unserialize function public function block_plugin_updates( $request, $url ) {
if ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already
return $request;
$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/
without disallowing unneeded classes.
thus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:
1. conduct PHP POP exploitation, more information:
1. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)
2. if 1 isn't possible, use safe unserialize invocation, such as:
if (version_compare(PHP_VERSION, '7.0', 'lt')) {
return safeUnserialize($data);
} else {
return safeUnserialize($data, false);
}
Implement safeUnserialize function that based on PMA_safeUnserialize:
https://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080
but with fix for the issue described in:
https://hackerone.com/reports/181315#activity-1322058
{"id": "H1:185907", "hash": "28305eba0505444b2bf6af0b3a4c8e23", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "2016-12-29T15:26:40", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:09", "history": [{"edition": 2, "lastseen": "2017-08-28T23:19:23", "bulletin": {"id": "H1:185907", "hash": "6d3c2f52e88d7087f64d8409e6fb40f8ae7a86af0f2a219b012e566f0825ec77", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "1970-01-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2017-08-28T23:19:23", "history": [], "viewCount": 1, "enchantments": {}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}}, "differentElements": ["modified"]}, {"edition": 3, "lastseen": "2017-08-29T13:11:22", "bulletin": {"id": "H1:185907", "hash": "87c3bb72801c324e85df0202ad9bef7c9c6fba64f69d35ba23781aaa04cee66d", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "2016-12-29T15:26:40", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2017-08-29T13:11:22", "history": [], "viewCount": 1, "enchantments": {}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}}, "differentElements": ["h1team"]}, {"edition": 5, "lastseen": "2018-02-07T16:57:56", "bulletin": {"id": "H1:185907", "hash": "99cbf367e7903647842c50386b420a5307bceed1dab2d37f9e39d8fafa5bb97f", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "2016-12-29T15:26:40", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:57:56", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2018-02-07T16:57:56", "value": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/"}}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "h1reporter": {"hackerone_triager": false, "username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}}, "differentElements": ["h1team"]}, {"edition": 1, "lastseen": "2017-08-22T11:09:40", "bulletin": {"id": "H1:185907", "hash": "f06ba67a18b053fd5581acbd70a99be4b397285b1d4c528d3433f6fcf3ace43f", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "1970-01-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2017-08-22T11:09:40", "history": [], "viewCount": 1, "enchantments": {}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d431dcd21be35952ba9ac5ee72afd57e50d33e44_small.jpg?1398144914", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/d6eeccb507e11e4a439da0b32099f5e5aca88204_medium.jpg?1398144914"}}, "h1reporter": {"disabled": false, "username": "e3amn2l", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l", "hacker_mediation": false}}, "differentElements": ["h1reporter"]}, {"edition": 4, "lastseen": "2017-10-16T07:58:06", "bulletin": {"id": "H1:185907", "hash": "064c449784194504af94484ad677796bcc8ca6f1f507fb114486d33889a1e947", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Ian Dunn: unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php", "description": "in:\n\t\thttps://github.com/iandunn/WordPress-Functionality-Plugin-Skeleton/blob/547216caf1bef2664ec3920a9c749191dea13aeb/functionality-plugin-skeleton.php#L108\n\nthere is usage of unserialize function\t\t\n```\npublic function block_plugin_updates( $request, $url ) {\n\t\t\tif ( 0 !== strpos( $url, self::PLUGIN_UPDATE_CHECK_URL ) ) // todo moving to https at some point, if hasn't already\n\t\t\t\treturn $request;\n\t\t\t$plugins = unserialize( $request['body']['plugins'] ); // todo use json now -- http://make.wordpress.org/core/2013/10/25/json-encoding-ssl-api-wordpress-3-7/\n```\n\nwithout disallowing unneeded classes.\nthus, if attacker managed to control the value of $request['body']['plugins'] he will be able to:\n\n1\\. conduct PHP POP exploitation, more information:\n\nhttp://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing\nhttp://www.slideshare.net/MailRuGroup/security-meetup-22-php-unserialize-exploiting\n\n2\\. unserialize itself has many security bugs in previous PHP versions which can be exploited, more information:\n\nhttps://www.evonide.com/fuzzing-unserialize/\nhttps://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf\n\nfix:\n\n1\\. don't use serialize/unserialize if json_encode/json_decode can be used instead. (fix both 1 & 2 attack vectors)\n2\\. if 1 isn't possible, use safe unserialize invocation, such as:\n```\n if (version_compare(PHP_VERSION, '7.0', 'lt')) {\n return safeUnserialize($data);\n } else {\n return safeUnserialize($data, false);\n }\n```\n\nImplement safeUnserialize function that based on PMA_safeUnserialize:\nhttps://github.com/phpmyadmin/phpmyadmin/blob/fb161a7bebe60d902f743227158eca6a9889c472/libraries/core.lib.php#L1080\nbut with fix for the issue described in:\nhttps://hackerone.com/reports/181315#activity-1322058", "published": "2016-11-28T01:16:24", "modified": "2016-12-29T15:26:40", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://hackerone.com/reports/185907", "reporter": "e3amn2l", "references": [], "cvelist": [], "lastseen": "2017-10-16T07:58:06", "history": [], "viewCount": 1, "enchantments": {"score": {"modified": "2017-10-16T07:58:06", "value": 9.4}}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "h1reporter": {"username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}}, "differentElements": ["h1reporter"]}], "viewCount": 2, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-04-19T17:34:09"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:09"}, "vulnersScore": 0.5}, "objectVersion": "1.4", "bounty": 25.0, "bountyState": "resolved", "h1team": {"handle": "iandunn-projects", "url": "https://hackerone.com/iandunn-projects", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/162/eb309ba9f6270977cf4e55dc66f0b8d7099a34b7_small.jpg?1508123836", "medium": "https://profile-photos.hackerone-user-content.com/000/000/162/cb18840e181960dbb77b2b8a38f637a2df47fa29_medium.jpg?1508123836"}}, "h1reporter": {"hackerone_triager": false, "username": "e3amn2l", "hacker_mediation": false, "is_me?": false, "disabled": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/e3amn2l"}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
