We’ve discussed WPtouch before — it’s a useful plugin for easily equipping a WordPress site with a mobile theme and touch functionality. It was recently reported by the folks over at Sucuri that the plugin contains a vulnerability that could be exploited by users without administrative privileges to upload PHP files to a server.
It’s a serious vulnerability that could allow the addition of PHP backdoors and other malware to a site — if a malicious party can add arbitrary code, they more or less own the site.
Users of 3.x versions lower than 3.4.3 of WPtouch are vulnerable. The fix is contained in versions 3.4.3 and later. WPtouch users should update immediately using the update functionality in the WordPress admin interface. Users of the 1.x and 2.x versions are not vulnerable to this particular exploit.
The vulnerability occurred because of the way WPtouch’s developers were handling user authentication. An admin nonce — a one-time number used for authentication — was generated and could then be used by a logged in user who wouldn’t ordinarily have admin privileges to upload files. Using a nonce as the only form of authentication is dangerous.
The vulnerability had the potential to completely invalidate tiered privilege implementations. A properly run site will ensure that users have only the privileges they need — not granting writers admin privileges, for example — but the WPtouch vulnerability could be used by any logged in user to carry out tasks that would usually require admin privileges.
When Sucuri discovered the vulnerability, they disclosed it immediately to the WPtouch developers, who quickly patched the plugin and uploaded a non-vulnerable version. That’s exactly how responsible disclosure should work, and the WPtouch team should be applauded for quickly and openly handling the report and fix.
Sucuri, who also discovered the vulnerability in the All In One SEO Pack that we discussed recently, are a website security and malware monitoring company. They also develop an excellent WordPress security hardening plugin, which is well worth installing. It will help protect a WordPress site against a variety of vulnerabilities, as well as providing malware and spam detection.
The Sucuri Security plugin makes it easy to implement a number of WordPress security best practices, including protecting the uploads directory and restricting access to the wp-content content directory.
Although it’s unfortunate that the vulnerability existed in the first place, the disclosure and patching process was well handled by the researchers at Sucuri and the WPtouch developers — ensuring that any risk to WordPress sites was swiftly mitigated.