[wp-hackers] Reporting WordPress exploits?

Sebastian Herp newsletter at scytheman.net
Sat Feb 21 13:25:01 GMT 2009


Hello Damian, hello list,

I also had hidden spam links in my wordpress 2.7 installation. Did your
exploit create a new admin user (check in the database, it is hidden in
den profile viewer, because wordpress apparently allows javascript in
user nicknames and this new user has some code in there that hides the
display of said user)? And is there a key
"rss_f541b3abd05e7962fcab37737f40fad8" in your wp_options table? And
another key "internal_links_cache" which is a base64-encoded string of
your spam links?

If so, we likely are victims of the same exploit, though all references
I can find online point to versions <= 2.5. which are vulnerable, not 2.7.

But it might be that an older wordpress installation (or other script)
on the same server was compromised and just infected other wordpresses
in other directories directly. Nothing wordpress can do against these
kind of attacks, right? Other than maybe not allowing javascript or any
kind of html in the users first name or any other field  :/

And to display a big big warning sign if a plugin in the active_plugins
option has a path like "../../../../../../../../tmp/dslkasl" or
"../upload/plugin.php" or would not be display in the plugin overview,
which in my case it didn't. The exploit loads a fake plugin which in
turn loads the contents of rss_f541b3abd05e7962fcab37737f40fad8 which
includes code for some shell a hacker can use if certain cookie
variables are set, which then loads internal_links_cache and creates a
function that uses the footer-hook to display it's spamlinks. Crazy ;-)

Greetings,
Sebastian

Mindshare Studios schrieb:
> Hi,
>
>  
>
> I was just wondering if there was a recommended procedure for reporting
> WordPress security vulnerabilities. I have a site running 2.7 that has had
> some hidden spam links injected into it, but this may have occurred before I
> upgraded to the latest version. I'm going to completely wipe the server and
> do a fresh install to be sure to get rid of the problems but I thought I'd
> ask the list to see if anyone is interested in looking at the malicious code
> (I've isolated at least three files containing bad code) or if this is worth
> reporting.
>
>  
>
> Thanks,
>
> Damian
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>   



More information about the wp-hackers mailing list