Trivial comment spam bypass – (All in One WP security <= 5.0.7)

Affected pluginAll In One WP Security & Firewall
Active installs1+ million
Vulnerable version<= 5.0.7
Audited version5.0.7
Fully patched version5.1.9
Recommended remediationUpgrade to version 5.1.9 or higher.

Description


The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.

Proof of concept


The plugin will generate the following rewrite rules in the “.htaccess” file:

# BEGIN All In One WP Security
#AIOWPS_BLOCK_SPAMBOTS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?://site\.test [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://127.0.0.1 [L]
</IfModule>

Any bot can trivially bypass this by spoofing the referrer header:

curl -s -I -X  POST https://site.test/wp-comments-post.php -H "Referer: https://site.test"

Proposed patch


Don’t rely on “.htaccess” files in distributed plugins.

Timeline


Vendor contactedSeptember 10, 2022
First ResponseSeptember 12, 2022
Fully patched atMay 09, 2023
Publicly disclosedApril 24, 2023

Miscellaneous


2 responses

  1. indigetal

    This is fixed as of version 5.1.9 that was released May 9, 2023

    1. Thanks,

      We’ll mark this as fixed, as it seems that now a preloaded PHP firewall/rule system is used.

      We won’t evaluate the effectiveness of that system due to time constraints and because comment spam detection is “subjective” to a certain degree.

Leave a Reply

Your email address will not be published. Required fields are marked *