未加星标

WordPress Web API Vulnerability

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二03 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

On Tuesday, February 1, 2017, security vendor Sucuri disclosed a severe vulnerability in the WordPress REST API in versions prior to 4.7.2. The vulnerability allows for remote, unauthenticated and easily automated modification of blog post and page content by manipulating a parameter payload. Sucuri, Inc. notified Akamai of this vulnerability in advance of the public disclosure, which allowed the Threat Research team to internally confirm exploitability and to develop a new rule for Kona Site Defender designed to protect customers from this vulnerability. It's important to understand the new Wordpress REST API before we discuss the technical details of the vulnerability.

What is REST?

REST stands for R e presentational S tate T ransfer. It is a stateless client-server protocol that is mostly used over the HTTP protocol. You can read about the REST protocol on Wikipedia for more information. In short, REST is used so that other websites, mobile applications, desktop / server software and other components can programmatically retrieve data easily and automatically, without the need to access the website from a browser. This is what allows your information to be communicated across multiple websites as you browse the Internet.


WordPress Web API Vulnerability

WordPress REST API was first introduced into the WordPress core in version 4.4 back on December 8, 2015. The documentation site gives the following introductory information:


WordPress Web API Vulnerability

As an example of usage, if we send a GET request to this URL- http://www.some.site/wp-json/wp/v2/posts/ - we will see the following JSON response data:


WordPress Web API Vulnerability

By using JSON format, the data is easily parsed and consumed by other 3 rd party applications.

Updating Blog Content

One use of REST is allowing an authenticated user to create or update a blog post using this new API interface. They could send a POST request using the following example format :


WordPress Web API Vulnerability

However, if an unauthenticated user was to try to send the same POST request, they would receive a 401 Unauthorized HTTP status code and a JSON error message like the following:


WordPress Web API Vulnerability
New Security Risks?

A WordPress security company recently released a blog post covering the WordPress REST API and posed the following prophetic question:


WordPress Web API Vulnerability
Type Juggling vs. Type Casting

The exploitation of this vulnerability relies on the abuse of a programming feature, known as type juggling . Type juggling is where the developer allows the type of data being entered to be determined by its context. Here is a snippet from thephp documentation:


WordPress Web API Vulnerability

Compare this to type casting, where the developer to define how the data should be treated:


WordPress Web API Vulnerability

The PHP documentation also states the following regarding type juggling:

It may not be obvious exactly what will happen when casting between certain types.

That phrase should make PHP developers nervous as it could indicate other problems .

POST Schema Objects

The WP REST API documentation shows the following information for the POST Schema:


WordPress Web API Vulnerability

Notice the "id" object entry. Although the Schema specified that "id" should contain an integer value, there were locations within wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php and other files where the "id" value was not cast properly as an integer value. The result is that, by including an "id" parameter value in either the query_string or POST payload that contains any non-numeric character, authorization checks can be bypassed.

Exploiting the Type Juggling Flaw

All an attacker needs to do in order to exploit this flaw is to include an "id" parameter value that is not an integer value. Here is an example of a web defacement attack as capture by Burp Repeater :


WordPress Web API Vulnerability

In the left-hand window pane, you can see a new "id" parameter to the normal JSON request body content. In that parameter field, the included alphanumeric text abuses the type juggling feature in PHP and causes the authentication/authorization checks to fail. The right-hand window shows that the response HTTP status code is 200 OK and the JSON body includes the new blog post content sent in the request. This vulnerability can be used for defacements and/or disinformation by malicious actors.

Modification of blog post or web page content is not the only potential outcome. Remote command execution (RCE) may also be possible, depending upon which WordPress plugins are installed and enabled. This vulnerability has been designated HIGH severity due to the following reasons:

Remotely exploitable

Unauthenticated

Attack vectors are easily adapted to mass exploitation within scripts

The REST API is enabled by default on all WordPress sites.

WordPress Security Patches WordPress development team updated its code to fix this vulnerability by adding additional logic to ensure that the "id" parameter values are properly cast as integers. Here is an example of this update code from the official Git repository for version 4.7.2:

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

主题: RESTPHPWordGitHIGInc.
分页:12
转载请注明
本文标题:WordPress Web API Vulnerability
本站链接:http://www.codesec.net/view/530339.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(26)