Disclosure: Insecure Nonce Generation in WPTouch
If you use the popular WPTouch plugin (5m+ downloads) on your WordPress website, you should update it immediately.
During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.
So to make a long story short, if you’re running WPTouch, then update immediately!
What are the risks?
First of all, this vulnerability can only be triggered if your website allows guest users to register. If your site falls within this category, a logged-in attacker could potentially take over your website by uploading a backdoor (remote shell) inside your website’s directories, allowing him to do anything he wants with your website.
Technical Details
If you read our last disclosure, you may remember that we mentioned that the WordPress “admin_init” hook should not be used as an authentication method. This bug illustrates another reason that the “admin_init” hook should not be used in this way (though, it does so more subtly).
In the file “core/classwptouchpro.php”, the “admin_initialize()” method was called by the “admin_init” hook.
Here is the interesting piece of it:
function admin_initialize() {
(…)
// load the rest of the admin scripts when we’re looking at the WPtouch Pro page
if ( $this>admin_is_wptouch_page() ) {
(…)} else {
$localize_params = array(
‘admin_url’ => get_bloginfo(‘wpurl’) . ‘/wpadmin’,
‘admin_nonce’ => wp_create_nonce( ‘wptouch_admin’ )
$localize_params ););(…)
// Set up AJAX requests here
wp_localize_script( ‘wptouchprootheradmin’, ‘WPtouchCustom’,
}
(…)
}
If you notice the admin nonce getting generated and then added to WordPress script’s queue, then you can probably see where we’re going with this.
function handle_upload_file() {
$this>cleanup_post_and_get();
header( ‘HTTP/1.1 200 OK’ );
$nonce = $this>post[ ‘wp_nonce’ ];
if( wp_verify_nonce( $nonce, ‘wptouch_admin’ ) ) {
switch( $this>post[ ‘file_type’] ) {
(…some upload mechanism…)
}
}
die;
}
This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there.
All an attacker had to do in order to compromise a vulnerable website was:
- Login and get his nonce via wp-admin
- Send an AJAX file upload request containing the leaked nonce and his backdoor
For developers, the key takeaway from all of this should be to not use nonces, by themselves, to protect sensitive methods. Instead make sure to always add functions such as “current_user_can()” or the like to confirm a user’s right to do something.
Update as soon as possible!
This vulnerability illustrates, yet again, the reason that attackers will always be able to find some way into your system. If you’d been adhering to the principle of least privilege, you would still be vulnerable because of a small error in the code, and since humans write code, there will always be errors that attackers will be able to exploit.
In this case, the great thing is that we disclosed the vulnerability to the WPTouch team and they swiftly put a patch online to correct this issue (version 3.4.3 – WPTouch Changelog). In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.
Finally, if you’re noticing anything strange with your website, make sure to check out our easy to understand malware symptoms. If you need help, we’re always available to take a look at your website to make sure hackers haven’t taken control of your environment.
For our customers: The good news is that every website that is protected by our Website Firewall – CloudProxy is already protected against this vulnerability, so that means your website is secure.
No comments yet.