Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Vulnerability examples using eval() plug-ins in WordPress

I have inherited a WordPress website that uses the RunPHP plug-in for executing snippets of PHP code in between posts. I have a feeling that this isn't the best way to implement such functionality. But since this is legacy code that has been functionally correct for a very long time, I'll need some solid examples of problem scenarios.

For those not familiar with RunPHP, it is a plug-in which executes PHP code embedded inside the Post or Page body using eval(). The code block is never received from the user, but entered into the database by the site owner / content creator.

The use case for this plug-in in our context is as follows.

A form is created as a Post, whose submit action is set to a Page (let's call it form handler). The form handler contains PHP code in its body and the RunPHP plug-in is activated for that Page. When the form gets submitted, the form handler receives the data and the PHP code in its body is executed.

This is besides some rather glaring security issues in the form handler code (dynamic user-submitted variable evaluation, no input-sanitization, no parametrized SQL queries).

Can somebody here verify my doubts about runtime code execution plug-ins in WP?

Much appreciated.

Form code in a Post -

<form action="/?p=1234" method="post">
    <input name="foobar" type="text" />
    <input type="submit" />
</form>

Handler code in a Page (this is stored in the database, and eval()-ed at runtime) -

<?php
    $foobar = $_POST["foobar"]; // This contains a SQL-injection vulnerability; But that's a separate issue, I think
    $query = "INSERT INTO table (field) VALUES (\"" . $foobar . "\")"; // Use variable in a query string
?>
like image 432
Pranav Negandhi Avatar asked Nov 26 '22 05:11

Pranav Negandhi


1 Answers

Difficult to say without seeing the actual site/code, but generally eval is a potential gateway for security problems. Imagine your site has an SQL injection problem somewhere: attackers have the possibility to not only inject data but also working PHP code into your application. Eval has some (few) valid areas of use, but in general I'd avoid it. Wordpress is quite easy to extend, maybe try porting the functionality to plugins.

like image 129
maff Avatar answered Nov 27 '22 19:11

maff