[wp-hackers] [Full-disclosure] Possible Code Execution vulnerability in WordPress ?

Chip Bennett chip at chipbennett.net
Sun Jul 3 12:43:01 UTC 2011 

The Hackers list is not the first, or best, audience for this type of
message. You should email security at wordpress.org directly if you believe you
have discovered evidence of a vulnerability or an exploit vector.

Also, be sure to read the Hardening WordPress entry in the Codex:
http://codex.wordpress.org/Hardening_WordPress

Chip

On Sun, Jul 3, 2011 at 6:33 AM, Marc Manthey <marc at let.de> wrote:

> hello list,
>
> i am using wordpress since 2 years without any trouble, update regulary ,
> but last friday, i got a mail from my hoster
> that someone "uploaded" a phishing script into my "upload folder" after i
> found out that the "contact form" module might cause
> the problem because i allways found a "wpcf7_captcha" directory in my
> "upload folder , i removed the module and all when fine.
>
> Today i ve got another mail from rsa.com  that the same script is still on
> my site just in a "theme" folder.
> I  looked into the installed "phishing script"
> http://www.2shared.com/file/**M9zwMVr5/www1royalbankcom.html<http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html>
> it seems everything is loaded from https://www1.royalbank.com/  for
> example
> https://www1.royalbank.com/**common/images/english/logo_**rbc_rb.gif<https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif> < but this is not the original banking site !!
>
> Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i try
> http://www.royalbank.com it redirects me to the original banking site at
>
> http://www.rbcroyalbank.com  !!!!
>
> After  i searched for some information , i found this on the full
> disclosure list , and i am a bit  concerned now....
>
> [Full-disclosure]       Code Execution vulnerability in WordPress
> http://seclists.org/**fulldisclosure/2011/Apr/535<http://seclists.org/fulldisclosure/2011/Apr/535>
>
> any idea what todo ?
>
> cheers
>
>
> Marc
>
>
>>>
>>> -------- Original Message --------
>>> Subject:        Fraudulent site, please shut down! [RBC 11266] IP:
>>> 91.184.33.25 Domain: let.de
>>> Date:   Sun, 3 Jul 2011 02:33:05 +0300
>>> From:   <afcc at rsa.com>
>>> To:     <abuse at speedpartner.de>
>>> CC:     <metz at speedpartner.de>
>>>
>>>
>>>
>>> Sehr geehrte Damen und Herren,
>>>
>>
>
> second attemt
>
>
>>> http://let.de/wp-content/**themes/twentyten/www1.**
>>> royalbank.com/index.html<http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html>
>>> ,
>>>
>>
> First attempt:
>
>
>  http://let.de/wp-content/**uploads/2011/www1.royalbank.**com/index.html<http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html>
>>
>
>
> --  Les enfants teribbles - research / deployment
> Marc Manthey- Vogelsangerstrasse 97
> 50823 Köln - Germany
> Tel.:0049-221-29891489
> Mobil:0049-1577-3329231
> blog: http://let.de
> twitter: http://twitter.com/**macbroadcast/<http://twitter.com/macbroadcast/>
> facebook : http://opencu.tk
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>

More information about the wp-hackers mailing list