public
Last active

WooThemes WooFramework exploit: Execute any shortcode as an unauthenticated visitor

  • Download Gist
gistfile1.md
Markdown

Update: WooThemes has now bumped their version number and fixed the update bug so please click "Update Framework" inside of the WordPress Admin to grab and install the latest version which patches this bug. - April 29, 10:40am EST

Update: WooThemes says that this is fixed in their latest patch, released just prior to their sever hack event this week. However, it appears that their server hack also broke the "Update Framework" function in their themes, so the patch isn't reliably available to existing customers. Additionally, their demo server remains unpatched. See my comments below for more details. - April 29, 10am EST

The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

Here is an example right on the WooThemes demo server that allowed me to show a twitter "follow me" button on their site:

http://demo2.woothemes.com/olya/wp-content/themes/olya/functions/js/shortcode-generator/preview-shortcode-external.php?shortcode=%5Btwitter_follow%20username=%22iota%22%5D

More extreme and malicious uses are left up to the reader; it would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.

The cause of this is the following code in functions/js/shortcode-generator/preview-shortcode-external.php:

$shortcode = isset($_REQUEST['shortcode']) ? $_REQUEST['shortcode'] : '';

// WordPress automatically adds slashes to quotes
// http://stackoverflow.com/questions/3812128/although-magic-quotes-are-turned-off-still-escaped-strings
$shortcode = strip_tags( stripslashes($shortcode) );

echo do_shortcode($shortcode);

You should have disclosed this securely and privately to the WooThemes team.

+1 to @jkudish. Jason, are you familiar with the concept of responsible disclosure? Serious question.

"Bad form, Peter!" - Hook

Now even people who didnt knew would try to hack on .. guys be responsible to the community ..

You've made a bad situation worse by not revealing this first to the WooThemes developers.

Well, to be fair, he may have revealed it to them first. still a poor choice, though.

@ericgibb even if he did, that's no reason to post it on gist - unless they knew about it for a long time and did nothing about it, which I can guarantee did not happen, knowing the WooThemes team and their positive reputation

If the hack is still live on THEIR server, there's no way he revealed it to them first, unless they are leaving their own servers unpatched still.

i have just sent the message to woo team and adii lets hope thy can quickly get on it , thy just had a major DOS attack on the servers

Good news, this WooFramework vulnerability was in fact patched, see https://twitter.com/#!/ryanr14/status/196461808331132929

woosh that was a close call . :P

While it is common practice to responsibly disclose vulnerabilities, Developers still need to practice Responsible Programming to prevent vulnerabilities. Developers should test critical sections of their code-base, and review older areas, before releasing it into the wild.

Also, who created this bug? How long has the bug existed in WooThemes? Will there be a code-audit to find other bugs still lurking in WooThemes?

@yolcu This vulnerability was there all along and users will have to apply a patch or upgrade, regardless of how the vulnerability was disclosed.

This exploit was already fixed, well before this Gist was posted: http://cl.ly/3S2o1z380L3i1D44443A

For the people not on the latest version of the WooFramework: You can download the latest version of WooFramework here: http://cl.ly/2a3j1m351C3u2i0t122j (it is 5.3.10)

Do you know how to manually update the framework? This zip file unzips to a "framework" folder, you need to replace to contents of the "functions" folder of your theme. Obviously make a backup of everything before you start.

As a member of the WooThemes team, thanks for reporting, but you really should have reported this to us in the first place. In this case, it was already patched, but in case it wasn't you have successfully found a way to cripple many (many, many, many) websites.

The people criticizing jasongill should think about where to point the blame. Everyone is saying it was irresponsible to release this information but WooThemes knew about this security hole and they quietly fixed it without telling anyone, hoping no one would notice. That's obviously much more irresponsible.

Thank you for releasing this, now the people who weren't running the latest version know that they have to update.

Why the automatic assumption that everybody in this industry consents to the guideline of responsible disclosure?

It's a nice gesture, but it's not mandatory. I laugh at the accusations of lacking morals, and exclamations of ethical high ground.

@coenjacobs Are you seriously suggesting I download a file from a random filesharing site and put it on my webserver? Who are you? Why isn't this hosted on woothemes.com itself?

Additionally, if the hole was already fixed why wasn't the security hole publicised at all? How many people haven't updated because they didn't know a hole was found and patched?

Thanks all for your comments. Regarding responsible disclosure, I'm aware of the concept. I did Google around and looked on the WooThemes site for a security notice address or similar and didn't find one. Even as a paying subscription customer, which I have happily been for the past year, the only way to get support is via their public forum.

That being said, this is only "half" of the equation. I have already seen numerous hosting accounts compromised via a more malicious form of this attack which I have not published. In fact, finding a number of sites running WooThemes all compromised in the past 4 days via the contents of shortcode-generator/ lead me to take a quick look through the code to try to find the attack vector and I found this.

Note that what I found isn't even really an exploit in its current form - just a bug which combined with a lot more work could be used to potentially cause harm. However, since I'm already seeing WooThemes-powered sites that have been compromised via the contents of shortcode-generator/, there is already a more serious problem in the wild. I would hope that WooThemes is aware of that - but again, they don't appear to have any security contact address, or any other transparency about the security of their products to be able to find out.

With regards to security at WooThemes, I won't comment on their attack this week because clearly they are trying to recover from it. However, as one commenter in HackerNews posted, "Does this look like the authors even give a crap about security?" and with that I would tend to agree. For example, a few days prior to their site going down, WooThemes alerted their customers to update their themes for a security vulnerability... via a 5am tweet: https://twitter.com/#!/woothemes/status/192545687051829248 "We found a minor vulnerability in the WooFramework, which we've just fixed. Please update to the latest version ASAP!" Not an email alert, not a blog post with details, just a tweet.

Regarding the person who commented that this issue was already patched; that is incorrect. This has been tested against vanilla WooThemes running the latest version, which (according to the theme's built in updater) is 5.3.7. The WooThemes website only lists a changelog up to version 5.3.1, released almost 2 months ago: http://www.woothemes.com/updates/functions-changelog.txt

Additionally, even if the issue is patched, my link above still works - which means that the patch clearly isn't working or hasn't been applied to WooThemes own servers.

The moral of this story is: WooThemes is a great company and makes a great product, but they have grown to the point where security needs to be a real concern. A proper channel to alert them of these issues, along with prompt and honest email notifications of updates to their customers (free and paid), and a publicly-accessible security/updates site (a la RedHat's RHSA system) are all long overdue. This isn't just a jab at WooThemes either - a review of almost any paid or free theme will surely come up with many issues like this.

Perhaps the best solution is for WordPress to add a built in update notifier that can alert site admins when updates are available, but at this point anything would be helpful.

Thanks again for the comments and thanks to those who posted simple patches to correct this small issue until an official update is released.

Just a quick note to address the screenshot and link posted by @coenjacobs which I do appreciate the official response: Even if you guys have released an update, it's not being pushed out to your customers reliably.

The reason for this is because your code in admin-functions.php checks http://www.woothemes.com/updates/functions-changelog.txt to determine the latest version. That file still shows the latest version as 5.3.1, so the "Update Framework" is basically broken if you've updated since 5.3.1 but aren't on 5.3.10. Here's a screenshot of functions-changelog.txt as of this comment, in case you guys are seeing something else: http://i.imgur.com/FdpfF.png

My guess is that this file got rolled back during your recent server issues; you may want to take a closer look. Additionally, the demo server is still out of date - perhaps the "Update Framework" feature on those themes is broken, too.

I see that WooThemes has now bumped their version number to push their update out, so if you are a WooThemes user be sure to click "Update Framework" inside your WordPress Admin.

I hope that this plus their server hack issues this week serves as the catalyst not only to encourage WooThemes to reform their security policies but the whole WordPress community as well.

Hi all,
This issue has been resolved in the latest version of the WooFramework. We've bumped it up to V5.3.11 and marked the update as "critical" for all WooFramework users.

Version 5.3.11 of the WooFramework is working fully with the automatic "Update Framework" link as well. This was just a matter of a slightly older version being online after our website restoration, which was why the automated updater wasn't being triggered. We've now remedied this with version 5.3.11.

Please see our official blog post here, where we detail the issue and our resolution: http://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/

Our sincerest apologies for the inconvenience caused here.

Glad @postmodern came in and, without saying @jasongill was completely right not to let WooThemes know first, pointed out two things:

  • this bug never should have happened
  • there isn't a way to immediately roll out a fix for everyone - individual users have to download the patched version

I'm relieved to see that WooThemes is quickly fixing it, rather than attacking the messenger. I hope they do a code audit.

The thing that mitigated the effect better than @jasongill could have is that many people don't trust the combination of WordPress and popular plugins and themes to be secure, and tend to run it in an isolated environment, and back things up regularly.

I'm glad to see that someone from Woo showed up here to let us know what's going on. Unfortunately, as of noon PST on April 30 2012, the "Update Framework" function is not working for me. Worse, the link provided by Woo currently produces a generic 404 error. Okay, now what?

So I went to the Woo site to see what's going on. There's a new blog posting here: http://demo.woothemes.com/dos/?p=118. Apparently they're experiencing another DDoS attack and the framework update system is offline. Apparently you can email them at techsupport@woothemes.com and ask for the framework update. I just sent off an email to them; hopefully that will work.

@jrivett - We are currently experiencing some downtime, yes. Our team is on hand to respond to your e-mail, though, and will do so as soon as possible. :)

Received the framework update by email. It's actually version 5.3.12, not 5.3.11. Anyway, it works.

@jrivett - That is correct, yes. V5.3.12 was released yesterday to ensure the code in question was removed correctly. We've tweeted and blogged about this version and updated our status blog as well during our recent down time.

I can confirm that this version resolves the issue, as does V5.3.11.

Glad your WooFramework is up to date. :)

I downloaded the latest version of canvas, but yet the framework in the theme has the OLD framework build 5.3.10. When I download the latest theme from the@woothemes site I want to have the latest framework as well. It seems that there isn't an automated framework update in the system to include the latest framework with the theme the user downloads. I figured this out by checking change logs, but wonder how many non-developers will go to this trouble. Security is a big issue and I hope that Woo can address these issues head on. I'm keeping the faith.

@behladesign - I have notified our team who are addressing this issue.

Our sincerest apologies for the inconvenience caused here.

Thanks for keeping on top of everything Matty!

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.