Site Deletion Vulnerability in Hashthemes Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 25, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations.

This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.

As we did not receive a response from the developer for nearly a month, we contacted the WordPress plugins team with our disclosure on September 20, 2021. The plugin was temporarily removed from the repository the same day, and a patched version, 1.1.2, was made available on September 24, 2021, though it was not mentioned in the developer changelog.

Wordfence Premium customers received a firewall rule protecting against this vulnerability on August 25, 2021. Sites running the free version of Wordfence received the same rule 30 days later, on September 24, 2021.


Description: Improper Access Control allowing content deletion
Affected Plugin: Hashthemes Demo Importer
Plugin Slug: hashthemes-demo-importer
Plugin Vendor: Hashthemes
Affected Versions: <= 1.1.1
CVE ID: CVE-2021-39333
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

Timeline

August 25, 2021 – Wordfence Threat Intelligence finishes our investigation and attempts to initiate disclosure for a vulnerability in HashThemes Demo Importer. We release a firewall rule to Wordfence Premium customers.
September 20, 2021 – We contact the WordPress plugins team as we have not received a response from the plugin developer. The plugin is temporarily removed from the WordPress.org repository.
September 24, 2021 – A patched version of the plugin, 1.1.2, becomes available. The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we discussed a vulnerability in HashThemes Demo Importer that allowed any logged-in user to completely and permanently destroy all of the content on a website.

We’ve discussed the importance of backups in the past, and this vulnerability serves as an important reminder of how critical backups are to your site’s security. While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up.

Wordfence Premium users have been protected against this vulnerability since August 25, 2021, while those still running the free version of Wordfence have been protected since September 24, 2021. If you are running a vulnerable version of this plugin, we urge you to update to the latest version available, 1.1.4, as soon as possible.

If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Site Deletion Vulnerability in Hashthemes Plugin appeared first on Wordfence.

7 Scary Good Tips to Secure Your Website

Nothing pairs quite as well as cybersecurity and Halloween. Prepare for more than trick-or-treaters this spooky season with these 5 wicked Website Security tips. 

1 – Make a horcrux ( aka backup your data) –

In Harry Potter, a horcrux lets wizards store a fragment of their soul in different objects as a safeguard against death. Similarly, a backup can restore your site to life after it’s compromised by a cyber attack.

Attackers are always looking to exploit vulnerabilities.

Continue reading 7 Scary Good Tips to Secure Your Website at Sucuri Blog.

Vulnerability Patched in Sassy Social Share Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

In 2010, Steffan Esser gave a presentation in Las Vegas that rocked the PHP world. He had discovered a new kind of vulnerability that today we call a “PHP Object Injection” vulnerability. This kind of vulnerability allows an attacker to send a PHP application some data that is turned into an object that lives in memory. If the application then assumes that object and its data is secure, and does things with that object, it could lead to a compromised website.

In technical terms, the way an object injection vulnerability works is as follows. A developer writes code that uses the unserialize() function. This function is a way to take an object that has been stored somewhere, and turn it from it’s stored form, which looks like text, back into an object that lives in memory. Developers do this when using object oriented programming in PHP. Objects are just data structures that logically represent things within the application. The serialize() and unserialize() functions are ways to store and retrieve objects. While serialize() turns an object into text, ready for storage, unserialize() takes the text and turns it back into an object that you can use in the application.

What Steffan discovered is that many developers were assuming that their objects, once unserialized in memory, were safe. And if he could send malicious data to the unserialize function, that is later used by the application and assumed to be safe, he could gain remote code execution on a website or in any PHP application. He had discovered a whole new way to hack into many websites across the globe.

Today we are disclosing an object injection vulnerability in a popular WordPress plugin. This vulnerability allows an attacker to submit data that is unserialized by PHP, and could contain malicious data. This malicious data is used by code in the application that trusts that the data is safe, creating a vulnerability that allows an attacker to take over a WordPress website.

PHP Object Injection Vulnerability in Sassy Social Share

On August 31, 2021 the Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.

In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.

On August 31, 2021, we initiated the responsible disclosure process. The vendor responded the next day, on September 1, 2021 after which we sent over the full disclosure details.

After working with the developer over a couple of weeks, a patch was released on September 17, 2021 in version 3.3.24. As per our responsible disclosure policy, we are now disclosing the vulnerability details because the plugin has been fully patched for some time.

If you have not already done so, we strongly recommend updating to the latest patched version of Sassy Social Share, which is version 3.3.25 at the time of this publication, as soon as possible, especially if you are running the vulnerable version of the plugin, which is version 3.3.23.

Description: Missing Authorization Controls to PHP Object Injection
Affected Plugin: Sassy Social Share
Plugin Slug: sassy-social-share
Plugin Vendor: Team Heateor
Affected Versions: 3.3.23
CVE ID: CVE-2021-39321
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher/s: Chloe Chamberland

Sassy Social Share is an easy to use plugin designed to enhance a site’s social media presence. One of the plugin’s recent updates introduced the ability to import and export the settings for the plugin. Unfortunately, this was insecurely implemented making it possible for authenticated users to import the plugin’s settings along with arbitrarily injecting PHP objects.

In order to provide this functionality the plugin registered the wp_ajax_heateor_sss_import_config AJAX action which is hooked to the import_config function. Unfortunately, this function had no capability checks, nor any nonce protection which meant that any authenticated user could trigger the AJAX action.

In this vulnerability’s simplest form it could be used to import and override the plugin’s settings, however, it didn’t stop there. Due to the fact that the plugin used the unserialize function on the user-supplied contents of the config parameter for the import, an attacker could craft a special payload that could call other PHP classes and potentially perform other actions if a vulnerable magic method was present in another piece of software installed on the same site. This is referred to as PHP Object Injection, and we have detailed this type of vulnerability more extensively in the past.

	public function import_config() {
		
		if ( isset( $_POST['config'] ) && strlen( trim( $_POST['config'] ) ) > 0 ) {
			$config = maybe_unserialize( base64_decode( trim( $_POST['config'] ) ) );
			if ( is_array( $config ) && count( $config ) > 0 ) {
				update_option( 'heateor_sss', $config );
				header( 'Content-Type: application/json' );
				die( json_encode(
					array(
						'success' => 1
					)
				) );
			}
		}
		die;

If another plugin or theme with a vulnerable magic method was installed on the same site with a vulnerable version of the Sassy Social Share plugin, then an attacker could potentially have the ability to create new files, delete existing files, execute remote commands, and more. This would make it possible for an attacker to take over a vulnerable WordPress site.

Disclosure Timeline

August 31, 2021 – Conclusion of the plugin analysis that led to the discovery of a vulnerability in the Sassy Social Share WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 1, 2021 – The vendor confirms the inbox for handling the discussion.
September 2, 2021 – We send over full disclosure details. The vendor responds confirming they will begin working on a fix.
September 2-17, 2021 – We work closely with the vendor to ensure an optimal security patch is released by verifying the implemented fixes before they are released to customers.
September 17, 2021 – The patched version is released as 3.3.24.
September 30, 2021 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we described a flaw in the Sassy Social Share WordPress plugin that grants attackers the ability to update the plugin’s settings and inject PHP Objects. This flaw has been fully patched in version 3.3.24 of Sassy Social Share. We recommend that WordPress users immediately update to the latest version available, which is version 3.3.25 at the time of this publication.

Please do let others in the WordPress community know about this issue to help them stay safe.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 31, 2021. Sites still using the free version received the same protection on September 30, 2021.

If your site has been compromised as a result of this or any other vulnerability, we offer Professional Site Cleaning services to help undo the damage. If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Vulnerability Patched in Sassy Social Share Plugin appeared first on Wordfence.

SSL Within the Context of Website Security

There is a common misconception that if someone adds SSL (Secure Sockets Layer) to their blog site or company website then it will protect them from cyber crimes. SSL only protects the data of the client who uses the website. Other than providing protection for website visitors’ data, SSL does not in fact make a website secure.

To understand why, let’s unpack what SSL is and how it impacts your websites’ security.

What is SSL?

Continue reading SSL Within the Context of Website Security at Sucuri Blog.

It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.

The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.

Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.

For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.

A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.

The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.

What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.

And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.

All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.

Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.

So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.

Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.

And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.

If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.

It’s not you. It’s them.

Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)

The post It’s Not You. It’s Them. On Hacking and Responsible Disclosure. appeared first on Wordfence.

Pin It on Pinterest