• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Mind your WordPress plugins...

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
hugo
Forum Fanatic
Forum Fanatic


Joined: 14 Jun 2003
Posts: 16777215
Location: Netherlands, Europe

Offline

PostPosted: Mon Jul 05, 2010 10:26 am    Post subject: Mind your WordPress plugins... Reply with quote

A little reminder that one should always check something for vulnerabilities if you can. Quite recently, I had to rebuild a clients' website locally for some customisations (WordPress and some plugins).

After installing it, I noticed some obscure errors while loading the page. The exact error I do not remember though, but it was reason to inspect the plugins. I discovered that one was quite "backdoor-ish" in its behaviour.

This is what was executed every time that WordPress rendered a page:
Code:
       
        function VisitorCredits() {
                $q = "HTTP_REFERER=".urlencode($_SERVER['HTTP_HOST'])."&PLUGIN=POST&HTTP_USER_AGENT=".urlencode($_SERVER['HTTP_USER_AGENT'])."&REMOTE_ADDR=".urlencode($_SERVER['REMOTE_ADDR']);
                $req = "POST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: [HOST STRIPPED]\r\nContent-Length: ".strlen($q)."\r\nConnection: close\r\n\r\n".$q;
                $fp = @fsockopen('[HOST STRIPPED]', 80, $errno, $errstr, 10);
                if(!fwrite($fp, $req)) { fclose($fp); }
                $result = ''; while(!feof($fp)) { $result .= fgets($fp); } fclose($fp);
                $result = explode("\r\n\r\n", $result); echo $result[1];
        }


I.e. this pings "home" every time that a page is rendered, sending information about the visitor.

Apart from that itself being very very naughty, couple it with the fact that this plugin supplied a publically accessible script that has this code in it:

Code:
$r = $wpdb->get_var("SELECT rating_".$_POST['rating']." FROM ".$wpdb->posts." WHERE ID = '".$_POST['id']."'");


...and you got your website set-up for an SQL injection, where the original author has a nice list of websites that have installed his evil plugin...

Now, it is debatable whether the author has done this on purpose. The author could simply be completely security-unaware, and could simply not give anything about privacy when writing that phone-home routine, which interestingly contains the comment "Please keep this. Thanks Smile"...

The lucky thing is that the domain that this plug-in tried to reach expired a month ago -- most probably the initial error I had was related to that....
Back to top
View user's profile Send private message
JamesMorgan
Forum Fanatic
Forum Fanatic


Joined: 09 Dec 2010
Posts: 16777215


Offline

PostPosted: Tue Dec 21, 2010 4:37 am    Post subject: Reply with quote

This is a real problem for most wordpress users who aren't familair with php and so have no way of knowing whether their service has a back-door vulnerability or not.

I would say, for best practice, only download plugins through the wordpress.org website [or backend from your wordpress admin page], these plugins and themes are tested by wordpress, any third part plugins you acquire from elsewhere aren't tested or monitored by wordpress.org.

I had a minor issue of downloading a theme from directly from a devlopers wbesite, and it contained an encoded footer backlink to dubious sources.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register