dangerous plugin

  • Resolved Hrohh

    (@hrohh)


    5 months, 3 weeks ago

    Hi, this plugin add fast-ajax.php to mu plugin folder. Every attacker can disabled your security plugins by sending simple payload to your ajax.php on your website.
    fast_ajax => true

    I don’t understand how the plugin author could have intended this, but it’s a really bad solution!

    Also some items in dashboard is misleading. For example autoload options are miscalculated etc. Biggest is not the biggest, the total size is incorrectly estimated, because it is preloaded in cache already.

    If I can give advice to the author to this plugin, expand the already existing ecosystem – Site Health.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Bowo

    (@qriouslad)

    5 months, 3 weeks ago

    @hrohh thank you for bringing this up. All AJAX calls requires nonce verification, so, not “every attacker” can simply get to the fast-ajax.php. Please correct me if I’m wrong.

    As why fast-ajax.php is being used, is to speed up ajax calls to skip things run by other plugins during an AJAX call. This is especially useful in complex sites with many plugins installed.

    Good to know about the autoload miscalculation. Can you provide more details and some examples?

    Your suggestion to expand upon Site Health is a good one. A dear friend who is also an expert has advised me to do the same years ago. Alas… System Dashboard is more a hobby project at this point, one I spend time on very sparingly. Perhaps someone else would be interested to fork it and use some of the code to expand upon the Site Health feature.

    Thread Starter Hrohh

    (@hrohh)

    5 months, 3 weeks ago

    Hi, thank you for fast response. In fast-ajax.php ( https://github.com/atwellpub/WordPress-Fast-Ajax-Mu-Plugin/blob/master/fast-ajax.php) there is no check for nonce. You should also check capability in ajax function, nonce is good, but if you call from admin, you should call current_user_can( ‘read’) at least. It is definitely dangerous like this. Also ensure that this file is deleted if your plugin is deactivated.

    Autoload check – look in function wp_load_alloptions() , there is multiple values “yes”, “auto”, “auto-on” etc.
    wp_cache_delete( ‘alloptions’, ‘options’ );
    timer_start();
    $alloptions = wp_load_alloptions();
    $time = timer_stop( false, 5 );
    $size = size_format( strlen( serialize( $alloptions ) ) );
    printf( __( ‘Loading autoload options took %s seconds and used %s of memory.’ ), $time, $size );

    Plugin Author Bowo

    (@qriouslad)

    5 months, 3 weeks ago

    @hrohh thank you for explaining further.

    The capability and nonce checks are performed in each AJAX calls, for example, when trying to display the WP core DB tables via the “Database >> Core >> View Tables” accordion with the sd_db_tables action in the AJAX call on this line, the checks are then performed inside the sd_db_tables() function.

    If this is not sufficient, please kindly consider taking some time to provide a proof of concept, step-by-step of how you can exploit this (the fast-ajax.php file) and do something harmful. Please send it via the contact form at https://bowo.io, and I’ll investigate further.

    Noted on your autoload check instructions. It has been more than 3 years since I wrote the code, so, will have to refresh my mind around it first.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.