WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#13827 closed defect (bug) (wontfix)

Spam Vulnerabilities In wp-signup.php Breaking Plugins

Reported by: uglyrobot Owned by: wpmuguru
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Multisite Keywords: needs-patch reporter-feedback
Focuses: Cc:

Description

I feel comfortable posting this here as the exploit is being observed in the wild already. We have a signup code plugin, i’ve seen about 3 users report spammers getting past the signup code without knowing it. I've also seen similar ineffectiveness with captchas and other antisplog plugins out there. Finally someone posted their logs (http://premium.wpmudev.org/forums/topic/spammer-bypassed-signup-code) so I could find the issue, and I think it could be classified as a security bug in MultiSite.

The problem here is in the way the wp-signup.php handles stages. A plugin can either choose to add a check to the user part or blog part of signups. If you click the gimme a blog option it simply prints user info you entered in the screen before as hidden inputs, it's not saved in the db or anything until the blog form is completed:

<input type="hidden" name="stage" value="validate-blog-signup" />
<input type="hidden" name="user_name" value="test1011" />
<input type="hidden" name="user_email" value="test@uglyrobot.com" />

So a bot can simply post those hidden variables and skip the user part of wp-signup.php completely, along with any protections a plugin has added to it. There are nonces that are supposed to help with that, but from the logs I think the bot is scraping it off the user page first, and since they never submit that part of the form the nonce is still valid on the blog part of the form as they are the same nonce id. Even if the nonce ids were changed though a bot could first submit invalid data to the blog part and collect the nonce there as well.

This bug essentially breaks half of the anti-spam plugins out there as they add protection to the user part of the form, and bots can skip that completely! As it stands a plugin can only protect user or blog signups, not both without being annoying (2 captchas to signup, etc).

The only solution I can see is a complete rewrite of wp-signup.php, probably to put user and blog fields on the same page maybe hidden with JS as BuddyPress does. Unfortunately that means likely needed rewrites to many signup protection plugins.

While we're considering a rewrite of wp-signup.php, I would like to see it switched to a format more like BuddyPress uses, with it being a fake page slug that can be defined in wp-config.php and calls the default theme page template for display. Though that's more of a feature request for a future release.

Change History (11)

#1 @ryan
9 years ago

A rewrite obviously isn't happening for 3.0. Nonces are pretty useless for this.

#2 @ryan
9 years ago

  • Milestone 3.0 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This is plugin territory. I'll see if we can get the stuff we use on wordpress.com bundled up into a plugin. When you have open signups, dealing with signup spam is a fact of life.

#3 @uglyrobot
9 years ago

  • Cc aaron@… added
  • Resolution wontfix deleted
  • Status changed from closed to reopened

I understand that it is plugin territory to deal with spam signups, but the point of this ticket is that there is an actual bug in the structure of wp-signup.php that PREVENTS plugins from protecting signups.

#4 @uglyrobot
9 years ago

  • Owner set to wpmuguru
  • Status changed from reopened to reviewing
  • Summary changed from Spam Security Vulnerabilities in wp-signup.php w/MultiSite to Security Vulnerabilities In wp-signup.php Breaking Plugins

For example, say I wanted to create a basic recaptcha plugin (there's a handful out there that are broken by this) to stop bots from creating users or blogs. Due to this hidden vulnerability which spammers have recently discovered and are exploiting, the only way to do this would be to force the person signing up to fill out 2 captchas in a row. Basically an ugly hack to try and cover up a core vulnerability.

This is not limited to just anti-spam plugins though, but affects a great many others out there like Terms of Service, password on signup, etc.

This bug affects the current majority of Multi-Site users and surely should be priority enough for a 3.0.1 release.

#5 @sirzooro
9 years ago

  • Cc sirzooro added

#6 @westi
9 years ago

  • Keywords reporter-feedback added
  • Priority changed from high to normal
  • Severity changed from critical to normal

Why can't a plugin add its own hidden fields using nonces if it wishes to ensure that a step it requires isn't skipped?

#7 follow-up: @uglyrobot
9 years ago

nonce's won't work for the reasons I specified above. For some signup plugins (not bot prevention ones) you can echo in hidden form fields data you collect on the signup part of the form into the blog part of the form.

But for any anti-spam plugins there is no way to carry data over between forms in a way that can't be manipulated short of starting a php session and using that to carry data over.

While there are dirty hacks to try and get around this bug, the fact remains that their necessity is due to a fundamental design flaw in wp-signup.php. A plugin dev has to know about this exploit and hack around it. If we can just combine the user and blog forms all would be well.

#8 @nacin
9 years ago

  • Summary changed from Security Vulnerabilities In wp-signup.php Breaking Plugins to Spam Vulnerabilities In wp-signup.php Breaking Plugins

#9 in reply to: ↑ 7 ; follow-up: @wpmuguru
9 years ago

Replying to uglyrobot:

But for any anti-spam plugins there is no way to carry data over between forms in a way that can't be manipulated short of starting a php session and using that to carry data over.

It is possible to carry data between the signup forms and ensure that the data has not been manipulated. I have an install that has been running an anti-spam plugin 3.0 for approximately 5 months and have had 4 successful spam signups in that time.

#10 in reply to: ↑ 9 @wpmuguru
9 years ago

Replying to wpmuguru:

It is possible to carry data between the signup forms and ensure that the data has not been manipulated. I have an install that has been running an anti-spam plugin 3.0 for approximately 5 months and have had 4 successful spam signups in that time.

I meant only 4 successful signups.

#11 @nacin
9 years ago

  • Resolution set to wontfix
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.