17 Jul

Malware Expert’s Post on WordPress Plugin Vulnerability Largely Copied from Ours

We don’t think too highly of the security industry, as among other issues, you have lots of people that don’t have the expertise required to be properly understand the security products/services they are providing and others that seem to have no problem engaging unethical behavior.  One of the problems that first issue causes is that you often have people simply repeating claims made by others, without knowing if what they are repeating is true (or seeming to care either). Often the original claim was made someone else that fits into at least the first of those two categories and not surprisingly the claim isn’t true. On top of that, as we have found in trying to correct misconceptions that are brought up to us when dealing with security issues on websites, this creates an echo chamber where the claims are more likely to believed because they are repeated over and over, despite being repeated by people that don’t have any idea if they are true.

While looking in to something recently, we came across a blog post by a company named Malware Expert from January 7, common.php (Object Injection Vulnerability in Backup & Restore Dropbox). When we went to make sure we had the vulnerability in our data set, we found that we did, but we also noticed that most of the ostensibly original content from the post (much of content is code from the plugin) was simply copied from our post on the vulnerability from December 15.  The content isn’t in quotes and there isn’t any mention of us in the post. At the very least this company doesn’t have a qualm about passing others content as their own, but it also raises questions as to if they have the expertise needed to understand what they are dealing with. Below is the version of relevant the text from Malware Expert’s post and then the original from our post.

Malware Expert:

In the plugin file /wp-content/plugins/dropbox-backup/dropbox-backup.php the function wpadm_full_backup_dropbox_run()gets registered to run during init (so it runs whenever WordPress loads):

Us:

In the file /dropbox-backup.php the function wpadm_full_backup_dropbox_run() gets registered to run during init (so it runs whenever WordPress loads):

Malware Expert:

That function then causes the function wpadm_run() to run:

Us:

That function then causes the function wpadm_run() to run:

Malware Expert:

When that function runs, if there is a POST input “dropbox-backup_request” included with the request to the website it will pass it to the function wpadm_unpack() (in the file /wp-content/plugins/dropbox-backup/functions/wpadm.php):

Us:

When that function runs, if there is a POST input “dropbox-backup_request” included with the request to the website it will pass it to the function wpadm_unpack() (in the file /functions/wpadm.php):

Malware Expert:

That in turns causes the POST input “dropbox-backup_request” to be run through the function unserialize,which allows the possibility of PHP object injection to occur:

Us:
That in turns causes the POST input “dropbox-backup_request” to be run through the function unserialize,which allows the possibility of PHP object injection to occur:

2 thoughts on “Malware Expert’s Post on WordPress Plugin Vulnerability Largely Copied from Ours

  1. We need ask apologize from you, if we are copied your some of your content to our webpage! There was bad english that looked we was founded this vulnerability.

    There is now that you found this vulnerability: https://malware.expert/vulnerability/common-php-object-injection-vulnerability-in-backup-restore-dropbox/

    There was new common.php malware, that we did found it (New one).

    Malware.Expert dont try find any vulnerabilities, We just Publish FREE Malware Signatures to detect malware.

    These signatures can anyone use for free: https://malware.expert/signatures/

    Our ModSecurity rules block attacks web hosting server – https://malware.expert/modsecurity-rules/

Leave a Reply

Your email address will not be published. Required fields are marked *