Login

Tag Archives: Remote Code Execution (RCE)

18 May 2017

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in BibleGet I/O

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

[Read more]

11 Apr 2017

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Analytic

Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and then in February and March we spotted a couple more plugins that looks to be from the set of plugins being targeted. We recently ran across requests for yet another plugin that looks to be part of that set, Analytic, which like the others contains a remote code execution (RCE) vulnerability.

When a request is sent to the file /setup.php the contents of the POST input “install” is placed in the file /install.php: [Read more]

3 Mar 2017

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Opti SEO

Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and last month we discussed another plugin that looks to be from the set of plugins. We recently have been seeing a lot of requests probing for usage of those plugins, though usually probing for only one of them instead of large group of them. We also recently had a request for yet another plugin that looks to be part of that set, Opti SEO, which like the others contains a remote code execution (RCE) vulnerability.

In the file /install.php the contents of the POST input “newins” is placed in the file /installed.php, which due to its .php extension will allow PHP code placed in the file to be executed when requested: [Read more]

27 Jan 2017

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Google Maps by Daniel Martyn

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/google-maps-by-daniel-martyn/js/gmbdm.js, from the plugin Google Maps by Daniel Martyn. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

In looking over the plugin for what hacker might be interested in it we quickly found a remote code execution vulnerability in it. The file /inuse.php contains the following code: [Read more]

24 Oct 2016

A Good Example of Why WordPress Keeping Quiet About Unfixed Plugin Vulnerabilities Doesn’t Make Sense

We think that WordPress does a pretty good job when it comes to security, but there is a glaring problem we have run across, the handling of unfixed vulnerabilities in WordPress plugins. When a vulnerability in a plugin is reported to the Plugin Directory, unless it is very minor, the plugin is pulled pending a fix. That prevents anyone who isn’t already using the plugin from installing it and making themselves vulnerable, but for everyone that already has it installed they will remain vulnerable until the vulnerability is fixed. A lot of times that happens fairly quickly after the plugin is removed, but in other cases it takes a long time or never happens. For that reason we first suggested that websites that have removed plugins installed should alert over four and half years ago. At the time we proposed this on the Ideas section of wordpress.org and shortly there after it was indicated this was being worked on. By earlier this year it was indicated that they cannot provide this, not for some technical reason, but because “IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk.”. We previously discussed that this really doesn’t make sense and we just ran in to another example that we think provides further evidence why this is bad stance.

Part of the explanation for their thinking that this would put websites at more risk is this: [Read more]

12 Jul 2016

Remote Code Execution (RCE) Vulnerability in wSecure Lite

We recently disclosed a minor, but very obvious, vulnerability in a WordPress plugin for logging user activity. What we found kind of stunning about this was that the developer of the plugin was a WordPress security company that claimed to “specialize” in doing security reviews of plugins. We later got an email from someone at the company who seemed to be surprised that we would have a negative view of the security industry. We have hard time believing that someone who actually cares about security and sees what is going on would not have such a view, considering how bad things are. We recently found another reminder of that from a security plugin with an incredibly serious vulnerability.

wSecure Lite is a plugin that makes it so that visiting the normal URLs to login to the WordPress admin area does not work and instead you have to visit a special URL to login (as the name suggest there is also a paid version of the plugin). That isn’t something that really provides you much protection, as the only thing the average website needs to do in regards to login security is use a strong password. In this case though using this plugin opened you up to a remote code execution (RCE) vulnerability, which would allow a hacker to do just about anything on a website. [Read more]