On Oct 6, 2020, our Danger Intelligence team discovered the High-Severity Object Injection weeknesses in Welcart e-Commerce , a Wp plugin with over 20, 500 installations that claims best market share in Japan.
After we completed our investigation, we approached the plugin’s publisher, Collne Inc. on October nine, 2020. Full disclosure has been sent on October twelve, 2020, and the plugin had been patched in version one 9. 36 on March 20, 2020.
Wordfence Premium customers obtained a firewall rule avoiding this vulnerability on August 9, 2020. Sites nevertheless using the free version associated with Wordfence will receive this guideline after 30 days on Nov 8, 2020.
Affected Items: Welcart e-Commerce
Plugin slug: usc-e-shop
Affected Versions: < 1 . 9. thirty six
CVE IDENTIFICATION: Pending
CVSS Score: 7. 5 (High)
CVSS Vector: CVSS: a few. 0/AV: N/AC: H/PR: L/UI: N/S: U/C: H/I: H/A: H
Fully Patched Version: 1 . 9. thirty-six
Welcart web commerce is a WordPress plugin which you can use to create an online store having a separate customer account region. It uses its own cookies, individual from the ones used by Blogger, in order to track user classes. Every request to the web site results in the usces_cookie
becoming parsed by the get_cookie
functionality. This function used usces_unserialize
to decode the material of this cookie.
function get_cookie($key='usces_cookie') $values = isset($_COOKIE [$key] ) ? usces_unserialize(stripslashes($_COOKIE [$key] )) : NULL; return $values;
function usces_unserialize( $data ) if( is_serialized( $data ) ) return @unserialize( $data ); if( is_array( $data ) ) return $data; return @json_decode( $data, true );
Unfortunately, this meant that a good attacker could send a new request with the usces_cookie
unbekannte set to a specially designed string which, once unserialized, would inject a PHP object.
PHP Object injections require a susceptible magic method to be present in in an attempt to fully exploit what’s termed as a POP chain. We’ve pointed out POP chains before inside a previous post . A POP string allows an attacker to utilize what are known as magic methods to be able to obtain remote code performance, delete arbitrary files, or even perform other actions which could allow them to take over a site.
This wordpress plugin included a library, tcpdf, that contains a __destruct
miracle method that could have been utilized to create a POP chain below other circumstances. Fortunately, an entire POP chain was not existing because the plugin unserialized the particular cookie before the TCPDF
course was loaded and described, so it was not possible in order to inject an object with this school.
In more great news, this vulnerability could not become exploited in conjunction with the recently patched issue in the WordPress core’s Requests_Utility_FilteredIterator
class, since the usces_unserialize
function used the is_serialized
perform to decide whether to unserialize the cookie data plus attacks against Requests_Utility_FilteredIterator
unsuccessful this check.
Timeline
October 6, 2020 – Our Risk Intelligence team discovers some sort of PHP Object Injection weakness in Welcart e-Commerce.
October 9, 2020 – Our own Threat Intelligence team coatings analyzing the vulnerability in addition to contacts the plugin’s author. A firewall rule will be released for Wordfence High quality users.
April 12, 2020 – We send the full disclosure to the plugin’s publisher.
October 20, 2020 – An adequate patch for Welcart ecommerce is released.
November 8, 2020 – The Wordfence Firewall rule becomes available to be able to sites running the totally free version of Wordfence.
Conclusion
In today’s article, all of us detailed a PHP Thing in the Welcart e-Commerce wordpress tool. Wordfence Superior users happen to be protected against this vulnerability given that October 9, 2020. Websites still running the free of charge version of Wordfence get the firewall rule on The fall of 8, 2020.
We highly recommend updating towards the latest version, 1 . 9. thirty eight as of this writing, as soon as possible. If someone you understand is using Welcart e-Commerce, we all recommend sharing this admonitory with them so they can take required action to protect their site.
The article Object Injection Vulnerability within Welcart e-Commerce Plugin appeared first upon Wordfence .