The PHP Object Injection Odyssey

The past few months we have noticed a trend of new and increasing PHP Object Injection attacks targeting WordPress sites. In a few cases in the last months our standard incident response process was identifying sites were had just cleaned were getting re-infected. Our response? Hack harder than the hackers, and we found multiple undisclosed vulnerabilities in plugins installed on the affected sites.

Each of the unreported vulnerabilities found were classified as PHP Object Injection. They affected multiple plugins, and effectively allowed remote code execution as far as we can tell.

In each case, the final solution was for us to reach out to the plugin authors and recommend a code change to address the issue. Luckily, all of the authors responded quickly and applied patches to their code.

We continued to monitor the attacker’s actions and watched as they feebly attempted the same exploits, to no avail. In the end, a success for our incident response process. Going above and beyond securing our customer’s sites, but helping patch undisclosed vulnerabilities in plugins, not only for our customers but for the thousands of people using the vulnerable plugins.

The odyssey of PHP Object Injection vulnerabilities is still ongoing. I’ve written about this subject last year (Tracking WP PHP Object Injection Attackers in November), 6 months ago (PHP Object Injection and Insecure Unserialize) and just recently (How to Secure PHP from Object Injections); but hats off to WordFence who is also reporting an increase in object injection attacks this month, so this issue is not just something only Pagely is seeing.

Object Injection is still a problem, and I guess I will continue writing these articles every few months. We will continue reaching out to plugin developers as well, helping make plugins secure for everyone. A shout-out goes out to WordFence for taking up the reigns and doing similar (helping plugin authors patch insecure code). Hopefully you to can help spread the word and more people can help secure their code against Object Injection attacks.

Need a primer for how developers can address this? Read or our article on how to secure PHP code against PHP Object Injection.

0 Comments