iThemes Security 5.3.6 Security Fix

Recently around april, 19th 2016, iThemes Security got patched against a vulnerability discovered by our team, a lack of capability check, allowing any member with any role to perform an Administrator action.

When a file has changed on your installation, iThemes Security will warn you in your backend, using the admin notices.

In this notice you’ll find a little button to dismiss this warning. Logically, only administrators can dismiss this message.

But the vulnerability let anyone “fake click” on this button, hiding the changes to the administrator.

Read the following if you want to know where was the flaw and how to exploit it.

In the file /core/modules/file-changes/class-itsec-file-change-admin.php you will find the function wp_ajax_itsec_file_change_warning_ajax()

	public function wp_ajax_itsec_file_change_warning_ajax() {

		if ( ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'itsec_file_change_warning' ) ) {
			die( __( 'Security error!', 'better-wp-security' ) );
		}

		die( delete_site_option( 'itsec_file_change_warning' ) );

	}

As you can see, a nonce token is checked, but not the role. So, usually a nonce token can be enough to block bad requests on this ajax action. But not if the token is known for everyone, let see this now.

Same file, we can read this:

add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_scripts' ) ); //enqueue scripts for admin page

A part of the function admin_enqueue_scripts() does this :

		wp_register_script( 'itsec_file_change_warning_js', $this->module_path . 'js/admin-file-change-warning.js', array( 'jquery' ), $itsec_globals['plugin_build'] );
		wp_enqueue_script( 'itsec_file_change_warning_js' );
		wp_localize_script(
			'itsec_file_change_warning_js',
			'itsec_file_change_warning',
			array(
				'nonce' => wp_create_nonce( 'itsec_file_change_warning' ),
				'url'   => admin_url() . 'admin.php?page=toplevel_page_itsec_logs&itsec_log_filter=file_change',
			)
		);

So, the nonce is written in the backend source code, for everyone, no restriction.

A simple subscriber can read this token, call the ajax file from WP with the action itsec_file_change_warning_ajax and the warning admin notice will be gone until the next file change.

The solution brought by the iThemes Security Dev Team have been to not print the nonce for everyone AND check the role when checking the nonce.

You always have to check both, nonce and role when you do this kind of verification. Also, never ever print tokens for everyone if they don’t need it. Last, always use different and correct nonces names to avoid action replication.

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.