Mind your WordPress plugins...

Networking/Security Forums -> Programming and More

Author: hugoLocation: Netherlands, Europe PostPosted: Mon Jul 05, 2010 10:26 am    Post subject: Mind your WordPress plugins...
A little reminder that one should always check something for vulnerabilities if you can. Quite recently, I had to rebuild a clients' website locally for some customisations (WordPress and some plugins).

After installing it, I noticed some obscure errors while loading the page. The exact error I do not remember though, but it was reason to inspect the plugins. I discovered that one was quite "backdoor-ish" in its behaviour.

This is what was executed every time that WordPress rendered a page:
        function VisitorCredits() {
                $q = "HTTP_REFERER=".urlencode($_SERVER['HTTP_HOST'])."&PLUGIN=POST&HTTP_USER_AGENT=".urlencode($_SERVER['HTTP_USER_AGENT'])."&REMOTE_ADDR=".urlencode($_SERVER['REMOTE_ADDR']);
                $req = "POST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost: [HOST STRIPPED]\r\nContent-Length: ".strlen($q)."\r\nConnection: close\r\n\r\n".$q;
                $fp = @fsockopen('[HOST STRIPPED]', 80, $errno, $errstr, 10);
                if(!fwrite($fp, $req)) { fclose($fp); }
                $result = ''; while(!feof($fp)) { $result .= fgets($fp); } fclose($fp);
                $result = explode("\r\n\r\n", $result); echo $result[1];

I.e. this pings "home" every time that a page is rendered, sending information about the visitor.

Apart from that itself being very very naughty, couple it with the fact that this plugin supplied a publically accessible script that has this code in it:

$r = $wpdb->get_var("SELECT rating_".$_POST['rating']." FROM ".$wpdb->posts." WHERE ID = '".$_POST['id']."'");

...and you got your website set-up for an SQL injection, where the original author has a nice list of websites that have installed his evil plugin...

Now, it is debatable whether the author has done this on purpose. The author could simply be completely security-unaware, and could simply not give anything about privacy when writing that phone-home routine, which interestingly contains the comment "Please keep this. Thanks Smile"...

The lucky thing is that the domain that this plug-in tried to reach expired a month ago -- most probably the initial error I had was related to that....

Author: JamesMorgan PostPosted: Tue Dec 21, 2010 4:37 am    Post subject:
This is a real problem for most wordpress users who aren't familair with php and so have no way of knowing whether their service has a back-door vulnerability or not.

I would say, for best practice, only download plugins through the wordpress.org website [or backend from your wordpress admin page], these plugins and themes are tested by wordpress, any third part plugins you acquire from elsewhere aren't tested or monitored by wordpress.org.

I had a minor issue of downloading a theme from directly from a devlopers wbesite, and it contained an encoded footer backlink to dubious sources.

Networking/Security Forums -> Programming and More

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group