• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Disclosure: Remote Code Execution Vuln in Disqus

June 20, 2014Marc-Alexandre Montpas

FacebookTwitterSubscribe

We recently found a security vulnerability in the Disqus Comment System plugin for WordPress. It could, under very specific conditions, allow an attacker to perform arbitrary remote code execution (RCE). In other words, an attacker can do anything he wants with a vulnerable website.

While the flaw itself is very dangerous, it may only be triggered on servers using WordPress with PHP version 5.1.6 or earlier. This also means that only users of WordPress 3.1.4 (or earlier) are vulnerable to it as more recent releases don’t support these older PHP versions.

Knowing that the targeted user base is actually very small, we decided to share our findings publicly now that Disqus released a patch for it (patched version 2.76).

*Every disqus user is still encouraged to upgrade to the latest version asap.

Disqus RCE vulnerability

It all began while analyzing some custom JSON parser, we found the following curious code

function getNextToken($e, &$i, &$state) {
$state = IN_NOWHERE;
$end = ­1;
$start = ­1;
while ( $i < strlen($e) && $end == ­1 ) {
switch( $e[$i] ) {
(...)
case "'":
$state = IN_STRING;
$buf = "";
while ( ++$i && $i < strlen($e) && $e[$i] != '"' ) {
if ( $e[$i] == "\")
$i++;
$buf .= $e[$i];
}
$i++;
return eval('return "'.str_replace('"','"',$buf).'";');
break;

If you do not understand PHP, it is searching for string literal delimiter, so that it can return its value as the next token.

The parsed content is returned from an escaped eval() call which is then returned to the caller function. Note that the eval() call in PHP executes any code provided to it. Can you see where this is going?

At this point, we've got a potential RCE vector as the string getting returned by the eval() call is double­quoted, which means we could use PHP's complex variable parsing syntax to get the script to execute any functions we want by using a payload like {${phpinfo()}}.

The Attack Vector

All we needed was to find where our payload should be stored in order for it to get triggered by the vulnerable eval() call. To do this, we had to check whether or not user­ provided data was processed by the getNextToken() function.

Our first guess was that, given comments sent through Disqus are directly going to their servers, there was probably a way to do the opposite: getting the comments for a given post from their services.

And we were right. Searching a bit led us to some comments synchronizing functionality which could be activated by any guest users by adding some parameters to the requested URL, such as

http://somesite.com/?cf_action=sync_comments&post_id=TARGET_POST_ID.

All we needed to do now was to test our findings, which worked as expected. We now that we had a working exploit, all we had to do in order to use it was to:

  1. Push our payload into some post's comments
  2. Get this post's ID
  3. Request a comments synchronization by adding the parameters we mentioned earlier to our URL

That's it, looks simple right? So if you are using an outdated version of WordPress/PHP, you need to update Disqus asap. All other users are also recommended to updated as soon as they can, even considering that this vulnerability does not apply to them.

If your website is behind our Website Firewall you are already being virtually patched.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Michael P. Shipley

    June 21, 2014

    Excellent work. This a very dangerous because many sites use Disqus.

  2. WatWebDev.com

    June 21, 2014

    Great work. By my calculations and using data from w3techs.com, 3.56% of WordPress users have version 3.1.4 installed and must therefore be using the effected version of PHP.

    The stats per WordPress version are detailed below. Version 3.* has 98.6% of all versions, so I downsized the percentages for versions within 3.* to account for this and make them total percentages over all versions.

    3.1.4 0.22%
    3.1.3 0.40%
    3.1.2 0.29%
    3.1.1 0.19%

    3.1.* Total: 1.1% (1.08%)

    3.0 1.1% (1.08%)
    2.* 1.4%

    Grand Total: 3.56%

    3.56% is still a lot. While it is numerically not a large number, it is still a good success ratio and attractive to an attacker. As always, for these effected websites, it is a tough lesson to learn to update WordPress and make sure your host (if you are using shared hosting) is updating the server to help keep you and your customers secure.

  3. Vimal Venkatesh

    July 15, 2014

    Brilliant work. ‘Disqus’ comment system is getting a big boost today and they’re integrating with many websites to create better discussions for readers. This post would help us to test! Thanks

  4. Nimrod Flores

    August 1, 2014

    Great work! Thanks for sharing this out.

    I use Disqus myself and although I’m not really affected with this vulnerability, it’s still good to know how exploits like this work.

  5. @yeuphonic

    August 4, 2014

    Got the email on 31 july but my plug in was already updated. I’m here for the tech info.

  6. John

    October 29, 2014

    Great work!

  7. David Braggs

    November 4, 2014

    Discuss is indeed necessary today as it has been an efficient tool to make easy discussions in a large number of websites with a single platform.

  8. friv4k

    December 16, 2015

    it makes us have more and more discs in our life, So kind for you, I also hope you will make more and more excellent post and let’s more and more talk, thank you very much, dear.

  9. Henry Price

    October 5, 2016

    I feel safe upon using Disqus. As I am using ESET Antivirus and my PC is not vulnerable for any hacking and malware.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.