Disclosure: Insecure Nonce Generation in WPTouch
If you use the popular WPTouch plugin (5m+ downloads) on your WordPress website, it is now the time to update.
During a routine audit for our WAF, we’ve discovered a very dangerous vulnerability that could allow a logged-in user with no administrative privileges (such as a subscriber or an author) to upload any PHP files to the target server. Someone with bad intentions could upload PHP backdoors, malware and basically take over the site.
So, are you running WPTouch? Update now!
What are the risks?
First of all, this vulnerability can only be triggered if your website allows guest users to register. If you fall in this category, a logged-in attacker could potentially take over your website by uploading a backdoor (remote shell) inside your website’s directories, allowing him to do anything he wants with your website.
Technical Details
Remember in our last disclosure when we mentioned that the WordPress “admin_init” hook should not be used as an authentication method? Well, this bug is another case where, unfortunately, it was used as such (though in more subtle ways).
In the file “core/classwptouchpro.php”, the “admin_initialize()” method was called by the “admin_init” hook.
This is the interesting piece of it:
function admin_initialize() {
(…)
// load the rest of the admin scripts when we’re looking at the WPtouch Pro page
if ( $this>admin_is_wptouch_page() ) {
(…)} else {
$localize_params = array(
‘admin_url’ => get_bloginfo(‘wpurl’) . ‘/wpadmin’,
‘admin_nonce’ => wp_create_nonce( ‘wptouch_admin’ )
$localize_params ););(…)
// Set up AJAX requests here
wp_localize_script( ‘wptouchprootheradmin’, ‘WPtouchCustom’,
}
(…)
}
Noticed the admin nonce getting generated and then added to WordPress script’s queue? Can you see where we’re going with this?
function handle_upload_file() {
$this>cleanup_post_and_get();
header( ‘HTTP/1.1 200 OK’ );
$nonce = $this>post[ ‘wp_nonce’ ];
if( wp_verify_nonce( $nonce, ‘wptouch_admin’ ) ) {
switch( $this>post[ ‘file_type’] ) {
(…some upload mechanism…)
}
}
die;
}
This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of check to authenticate the user’s privilege to upload files, it was possible for any users to complete the upload in there.
All an attacker had to do in order to compromise a vulnerable website was to:
- Login and get his nonce via wp-admin
- Send an AJAX file upload request containing the leaked nonce and his backdoor
So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.
Update as soon as possible!
Good thing is, we’ve responsibly disclosed the vulnerability to the WPTouch team who swiftly put a patch online correcting this issue (version 3.4.3 – WPTouch Changelog). So, in order to correct this issue on your website, all you have to do is to update the plugin on your administration panel.
For our customers: The good news is that any website behind our Website Firewall – CloudProxy are protected against this vulnerability.
Read more: Disclosure: Insecure Nonce Generation in WPTouch