What’s the status of the fix?
All Versions Critical Vulnerability
Does it apply to version 241216? If not, roll back to it since it seems to be more stable.
Keep us posted.
I noticed new topics and posts in the forum but I am a bit overwhelmed with personal stuff. I’ll do my best to come back here when things calm down.
It’s all versions, hence the title. Check the link.
From the Wordfence link above (emphasis added):
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the ‘template’ attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
@clavaque please comment!
Code execution is game over.
I am not an expert on this plugin, but in my warranty-free opinion (use at your own risk): if you allow untrusted users to may any edits at all, even at the contributor level, you may want to disable that access until there is a fix.
Does it include just permission to leave comments?
Yes it does apply.
And do NOT expect a response to this issue. Clavaque hasn’t responded to ANYTHING in 3 MONTHS
And the number of installations of s2 has fallen over last 3 years significantly.
It might as well be an “abandoned” plugin.
We solved our own issues, with great effort - basically with WORK AROUND’s to the system as it is right now. But you can only fudge for so long.
It’s sad - this plugin, if managed & supported correctly could be very lucrative.
Sid
We’ve been using S2 since about 2013 (!) and have been happy. If there are going to be problems, we need some ideas about other useful membership plugins. Anybody?
–Patrick
I guess this dates back to S2s pretty dangerous PHP plugin, was it called ezphp? It was never a good idea to be able to insert php snippets.
I wonder if there aren’t any other holes, wordfence seems to discover many on S2 lately and scarily high danger
I have an idea how this can be fixed, or what the problem is.
This bug should be solvable if we downgrade any s2member user roles to something of subscriber, but they cannot have anything like contributor rights.
This bug is described as contributor+ - and contributors shouldn’t be allowed to add php to posts or comments. Seems however that s2member enables contributors to do just that, and also enables s2member roles to do this??? So to at least mitigate the danger, we need to make sure that any s2member roles have no more than wordpress subscriber rights - Otherwise this bug is really way way serious.
I.e. I cannot force my users to use safe passwords or block passwords that were leaked. It creates huge support headache for me if I do so and on top losing some of them. So basically I had a couple of accounts already posting some spam because they used leaked passwords. Now if someone knows this he just needs to use one of those accounts and can take over your full website.
Now as I cannot really see how s2member messes up, I guess removing the read permission from s2member roles could be a step, and then we would need to find out in s2member plugin where s2member_level_0 to level_x is given what rights. It seems to me the bug must be that the s2member_level_x permissions are far too comprehensive.
Is s2member installation enough so that even subscribers can take over your website, or does it need to be level_1 or higher?
It’s really important we can find this out, deactivating s2 for me isn’t a solution, and leaving such a critical bug (anything over 8 on wordfence is really impossible to be left open).
If your company does any business in the EU, it opens another huge problem. Leaving your website active makes you liable to 10% fine of your worldwide turnover, as this bug concerns your users private data - so some of those bogus lawyers could just scan websites for s2member installation, and then start fining you. This is simply impossible to be left like this.
Oh yeah, and not sure if it would help, but maybe a temporary fix is that all comments need to be approved first - I’m not sure if putting compromising PHP code into a comment that doesn’t get published but waits in moderation already creates problems.
As a first step I have completely removed the user roles contributor, editor, author from wordpress. For my admin account I have 2factor authentication anyhow so that it cannot be compromised.
Hi @openmtbmap,
In my own testing, I did not see that s2member automatically grants s2member roles any special WordPress contributor permissions. None of my s2member accounts seem capable of creating or editing content. (Comments are disabled, so I can’t speak to that.)
Could this have been a particular configuration on your site? Or perhaps in the forms that you set up for people to create these accounts? For instance, for maximum safety, the ccaps=
bit in the form should be empty; if not, it is granting additional capabilities.
But I am open to correction on this, and curious to hear what others (especially @clavaque) have to say.
Thanks!
I know there’s a capabilities / roles editor. Extremely powerful and useful. I have it on my install since I created many different roles for different situations.
I am also able to assign multiple roles to a single user (I think I use another plugin for that).
Which capability is sensitive, do you know its name @openmtbmap? Also, even if you have malicious code never public, I wonder if the page where we moderate comments to release / delete / reply to comments would run that code when we open it.
I’m still not sure what to make from this bug report. It says it applies to contributors or above, but then it doesn’t mention it s2member rules which should be only subscriber plus the special access rules by S2 are somehow included or not.
The problem is I don’t know what the s2member levels include, that’s defined by S2 and cannot be found out with any member rule configuration plugin. Can they start and php file or can they not, if so from which folders.
I use “PublishPress Capabilities Free” and that not only shows the capabilities per role but also allows me to modify them. Including roles added by s2Member and roles I created / cloned on my own.
Now, I am unable to say what’s included in these capabilities below…
That’s likely just used by s2member to know if a user has those when processing our conditionals, for example.
Unless you give access to allow people to edit content, the risky areas I see are:
- User Profile
- Comments Section
Those permissions are wordpress related, not s2member.
Now, if s2member opens a door that allows for php added by users on their profiles or comments to be executed, that would allow for a user to be able to run an attack.
Even if that happens, I wonder the scope of what this code would have.
We need to investigate it further, I think.
ccaps are custom capabilities for our reference, not Wordpress’ permissions.
They should not interfere or be related to the issue.
I think it should be enough to see if php files can be executed and if so from which directory. Even if it’s only from s2member plugin directory someone with good knowledge could create himself an admin account and then take over the site. It’s not needed to be able to actually upload files but execute fies can be enough
We should be fine if we don’t allow anyone but ourselves to upload files, then. Right?
Nope, it’s enough to execute php files to create an admin account. There are plenty of wordpress php files that allow taking over a site, it’s not easy but for hackers it’s easy enough if they can execute specific files your site is game over. Maybe even just by executing php files from s2member folder. Of course if you can upload php files and execute them it’s even easier. But it’s really essential that no one except administrators can execute php files.
@thesimarchitect My understanding is that you are correct that ccaps
refer to custom capabilities, rather than WordPress roles. However, since custom capabilities will hook into custom code, it is quite possible that this code might include giving these users various WordPress roles.
Unfortunately, if a web owner paid a developer to set up and customize their website (probably years ago), the owner may have no idea how to examine this code and ensure it is safe.
I think that any membership sign-up form that includes any ccaps
value should be considered a risk until the code for each custom capability is reviewed.