April 24, 2023

Trivial comment spam bypass – (All in One WP security <= 5.0.7)

Calvin Alkan

| in

Affected plugin	All In One WP Security & Firewall
Active installs	1+ million
Vulnerable version	<= 5.0.7
Audited version	5.0.7
Fully patched version	5.1.9
Recommended remediation	Upgrade to version 5.1.9 or higher.

Description

The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.

Proof of concept

The plugin will generate the following rewrite rules in the “.htaccess” file:

# BEGIN All In One WP Security
#AIOWPS_BLOCK_SPAMBOTS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?://site\.test [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://127.0.0.1 [L]
</IfModule>

Any bot can trivially bypass this by spoofing the referrer header:

curl -s -I -X  POST https://site.test/wp-comments-post.php -H "Referer: https://site.test"

Proposed patch

Don’t rely on “.htaccess” files in distributed plugins.

Timeline

Vendor contacted	September 10, 2022
First Response	September 12, 2022
Fully patched at	May 09, 2023
Publicly disclosed	April 24, 2023

Miscellaneous

2 responses

indigetal

May 23, 2023

This is fixed as of version 5.1.9 that was released May 9, 2023

Reply
1. Calvin Alkan
  
  May 23, 2023
  
  Thanks,
  
  We’ll mark this as fixed, as it seems that now a preloaded PHP firewall/rule system is used.
  
  We won’t evaluate the effectiveness of that system due to time constraints and because comment spam detection is “subjective” to a certain degree.
  
  Reply

snicco