Joined: 14 Jun 2003 Posts: 16777215 Location: Netherlands, Europe
Posted: Mon Jul 05, 2010 10:26 am Post subject: Mind your WordPress plugins...
A little reminder that one should always check something for vulnerabilities if you can. Quite recently, I had to rebuild a clients' website locally for some customisations (WordPress and some plugins).
After installing it, I noticed some obscure errors while loading the page. The exact error I do not remember though, but it was reason to inspect the plugins. I discovered that one was quite "backdoor-ish" in its behaviour.
This is what was executed every time that WordPress rendered a page:
I.e. this pings "home" every time that a page is rendered, sending information about the visitor.
Apart from that itself being very very naughty, couple it with the fact that this plugin supplied a publically accessible script that has this code in it:
$r = $wpdb->get_var("SELECT rating_".$_POST['rating']." FROM ".$wpdb->posts." WHERE ID = '".$_POST['id']."'");
...and you got your website set-up for an SQL injection, where the original author has a nice list of websites that have installed his evil plugin...
Now, it is debatable whether the author has done this on purpose. The author could simply be completely security-unaware, and could simply not give anything about privacy when writing that phone-home routine, which interestingly contains the comment "Please keep this. Thanks "...
The lucky thing is that the domain that this plug-in tried to reach expired a month ago -- most probably the initial error I had was related to that....
This is a real problem for most wordpress users who aren't familair with php and so have no way of knowing whether their service has a back-door vulnerability or not.
I would say, for best practice, only download plugins through the wordpress.org website [or backend from your wordpress admin page], these plugins and themes are tested by wordpress, any third part plugins you acquire from elsewhere aren't tested or monitored by wordpress.org.
I had a minor issue of downloading a theme from directly from a devlopers wbesite, and it contained an encoded footer backlink to dubious sources.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum