Welcome to the Patchstack Weekly Security Update, Episode 66! This update is for week 15 of 2023.
This week’s knowledge share is about a rare but serious security bug that can be found in any PHP application. Luckily it is easy to avoid and WordPress has a built-in function that developers can utilize to help secure against it.
I will then cover 3 security bugs that were patched recently in this week’s vulnerability roundup.
How to prevent insecure inclusion bugs
Inclusion is a good thing, open source communities are all about inclusion. But inclusion has its limits, like inclusion of security bugs – we don’t want to include those in our PHP code.
What are inclusion security bugs?
Inclusion security bugs are caused when user-controlled data is sent to PHP’s include or require functions. This can lead to arbitrary code execution or disclosure of sensitive data (such as a server’s /etc/passwd file) because the purpose of these functions is to read and execute the contents of the file as if it was part of the PHP application.
There are two primary types of inclusion security bugs:
- Local File Inclusion (LFI for short)
- Remote File Inclusion (RFI for short)
When it comes to Local File Inclusion, the code can be tricked in to reading any file in the file system and either displaying the contents or executing it as PHP. This may seem harmless, however, if attackers can upload files or in some cases include the web server’s log files then arbitrary execution can occur.
With Remote File Inclusion, the risk is the same but remote files make it much easier for attackers to control the code being executed as well. Luckily default PHP configurations protect against this.
Both types of inclusion security bugs are dangerous, so let’s now talk about how to secure against them.
Securing code against inclusion bugs
Inclusion security bugs are caused when the user controls what file or URL will be included. The fix for these types of bugs will come down to limiting or validating what users are allowed to pass through to the dangerous function (include or require in this case.)
WordPress includes a handy filename sanitize function called sanitize_file_name(). If you intend to use a user-supplied value as a file name, the sanitize_file_name function will strip out any character that does not belong in a file’s name. This includes slashes, so that will protect against directory traversal concerns too.
I already mentioned default PHP configurations protection against remote file includes, but since open source projects do not control PHP configurations it’s a good idea to code defensively to protect end users. There are no easy built in functions to address this, but you can use a function like stripos() to inspect the variable to see if it looks like a URL (e.g.. does it start with http:// or https:// ? ) and disallow it.
Another defensive coding tactic that applies to both LFI and RFI is to hard code the path of the file you plan to include (be sure to sanitize the file name.) This will protect against URLs being used, ensure you are reading a file located in a place you expect it, and protects against directory traversal concerns.
Developers of the User Role by BestWebSoft (slug name user-role) patched a serious CSRF bug. This bug could have allowed user privilege escalation on the website, if attackers can trick logged in users to visit a specially crafted link.
The developers of wp-easycart patched a local file inclusion bug last month. It requires a high privileged user (administrator) account to perform the attack, which reduces its relevant severity. It is still great that they addressed this bug, and site owners should update as soon as they can.
The developers for Advanced Custom Fields patched an authenticated PHP Object Inject bug in their code base recently. The developers also provided a backport for this patch, according to their [detailed release notes] users should upgrade to either ACF 5.12.5 or 6.0.7 to address this bug on their websites.
Thanks and appreciation
This week’s thanks go out to the developers of User Role (Best Web Soft), wp-easycart (WP Easy Cart), and Advanced Custom Fields (WPEngine). These developers did a great job addressing those security bugs and ensuring their end-user websites are safe and secure.
I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!