Support » Plugin: WP Super Cache » PHP Object Injection

  • Hello, working on the plugin i managed to find serious vulnerability.
    Userinput reaches sensitive sink when function wp_cache_serve_cache_file() is called
    When userinput is parsed by the unserialize() function an attacker may abuse this by supplying serialized objects that will be used in the current application scope.
    Vulnerability is also triggered in:
    /wpcache/advanced-cache.php
    /wpcache/wp-cache-phase2.php

    CODE:

    /wpcache/wp-cache-phase1.php

    $wp_cache_key = get_wp_cache_key();
    $key = $blogcacheid . md5( $wp_cache_key );

    $wp_cache_key = $blogcacheid . $wp_cache_key;

    $cache_filename = $file_prefix . $key . ‘.html’;
    $meta_file = $file_prefix . $key . ‘.meta’;
    $cache_file = realpath( $blog_cache_dir . $cache_filename );
    $meta_pathname = realpath( $blog_cache_dir . ‘meta/’ . $meta_file );
    return compact( ‘key’, ‘cache_filename’, ‘meta_file’, ‘cache_file’, ‘meta_pathname’ );
    }

    function wp_cache_serve_cache_file() {
    global $key, $blogcacheid, $wp_cache_request_uri, $file_prefix, $blog_cache_dir, $meta_file, $cache_file, $cache_filename, $meta_pathname, $wp_cache_gzip_encoding, $meta;
    global $wp_cache_object_cache, $cache_compression, $wp_cache_slash_check, $wp_supercache_304, $wp_cache_home_path, $wp_cache_no_cache_for_get;
    global $wp_cache_disable_utf8, $wp_cache_mfunc_enabled;

    extract( wp_super_cache_init() );

    if ( wp_cache_user_agent_is_rejected() ) {
    wp_cache_debug( “No wp-cache file served as user agent rejected.”, 5 );
    return false;
    }

    if ( $wp_cache_no_cache_for_get && false == empty( $_GET ) ) {
    wp_cache_debug( “Non empty GET request. Caching disabled on settings page. ” . serialize( $_GET ), 1 );
    return false;
    }

    if ( $wp_cache_object_cache && wp_cache_get_cookies_values() == ” ) {
    if ( !empty( $_GET ) ) {
    wp_cache_debug( “Non empty GET request. Not serving request from object cache. ” . serialize( $_GET ), 1 );
    return false;
    }

    $oc_key = get_oc_key();
    $meta_filename = $oc_key . “.meta”;
    if ( gzip_accepted() ) {
    $oc_key .= “.gz”;
    $meta_filename .= “.gz”;
    }
    $cache = wp_cache_get( $oc_key, ‘supercache’ );
    $meta = unserialize( wp_cache_get( $meta_filename, ‘supercache’ ) );
    if ( is_array( $meta ) == false ) {
    wp_cache_debug( “Meta array from object cache corrupt. Ignoring cache.”, 1 );
    return true;
    }
    } elseif ( file_exists( $cache_file ) ) {
    wp_cache_debug( “wp-cache file exists: $cache_file”, 5 );
    if ( !( $meta = unserialize( @file_get_contents( $meta_pathname) ) ) ) {
    wp_cache_debug( “couldn’t load wp-cache meta file”, 5 );
    return true;
    }

    OWASP
    Best Regards
    https://wordpress.org/plugins/wp-super-cache/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘PHP Object Injection’ is closed to new replies.