On Oct 6, 2020, our Danger Intelligence team discovered the High-Severity Object Injection weeknesses in Welcart e-Commerce , a Wp plugin with over 20, 500 installations that claims best market share in Japan.
After we completed our investigation, we approached the plugin’s publisher, Collne Inc. on October nine, 2020. Full disclosure has been sent on October twelve, 2020, and the plugin had been patched in version one 9. 36 on March 20, 2020.
Wordfence Premium customers obtained a firewall rule avoiding this vulnerability on August 9, 2020. Sites nevertheless using the free version associated with Wordfence will receive this guideline after 30 days on Nov 8, 2020.
Welcart web commerce is a WordPress plugin which you can use to create an online store having a separate customer account region. It uses its own cookies, individual from the ones used by Blogger, in order to track user classes. Every request to the web site results in the
usces_cookie becoming parsed by the
get_cookie functionality. This function used
usces_unserialize to decode the material of this cookie.
function get_cookie($key='usces_cookie') $values = isset($_COOKIE [$key] ) ? usces_unserialize(stripslashes($_COOKIE [$key] )) : NULL; return $values;
function usces_unserialize( $data ) if( is_serialized( $data ) ) return @unserialize( $data ); if( is_array( $data ) ) return $data; return @json_decode( $data, true );
Unfortunately, this meant that a good attacker could send a new request with the
usces_cookie unbekannte set to a specially designed string which, once unserialized, would inject a PHP object.
PHP Object injections require a susceptible magic method to be present in in an attempt to fully exploit what’s termed as a POP chain. We’ve pointed out POP chains before inside a previous post . A POP string allows an attacker to utilize what are known as magic methods to be able to obtain remote code performance, delete arbitrary files, or even perform other actions which could allow them to take over a site.
This wordpress plugin included a library, tcpdf, that contains a
__destruct miracle method that could have been utilized to create a POP chain below other circumstances. Fortunately, an entire POP chain was not existing because the plugin unserialized the particular cookie before the
TCPDF course was loaded and described, so it was not possible in order to inject an object with this school.
In more great news, this vulnerability could not become exploited in conjunction with the recently patched issue in the WordPress core’s
Requests_Utility_FilteredIterator class, since the
usces_unserialize function used the
is_serialized perform to decide whether to unserialize the cookie data plus attacks against
Requests_Utility_FilteredIterator unsuccessful this check.
October 6, 2020 – Our Risk Intelligence team discovers some sort of PHP Object Injection weakness in Welcart e-Commerce.
October 9, 2020 – Our own Threat Intelligence team coatings analyzing the vulnerability in addition to contacts the plugin’s author. A firewall rule will be released for Wordfence High quality users.
April 12, 2020 – We send the full disclosure to the plugin’s publisher.
October 20, 2020 – An adequate patch for Welcart ecommerce is released.
November 8, 2020 – The Wordfence Firewall rule becomes available to be able to sites running the totally free version of Wordfence.
In today’s article, all of us detailed a PHP Thing in the Welcart e-Commerce wordpress tool. Wordfence Superior users happen to be protected against this vulnerability given that October 9, 2020. Websites still running the free of charge version of Wordfence get the firewall rule on The fall of 8, 2020.
We highly recommend updating towards the latest version, 1 . 9. thirty eight as of this writing, as soon as possible. If someone you understand is using Welcart e-Commerce, we all recommend sharing this admonitory with them so they can take required action to protect their site.