A malicious iframe has been making its rounds due to a broken non-existent security check in the admin section of the Fancybox for WordPress plugin. Samples of affected sites indicate the vulnerability is being used to initiate a drive-by download targeting MSIE browsers (potentially targeting a recently-announced unpatched IE exploit?). The plugin exploit vector results from poor handling of unauthenticated requests to the plugin’s admin options page (taken from fancybox.php):
php
Spectacularly Bad
Another round of notable WordPress plugin vulnerabilities made the rounds today- nothing particular noteworthy, just a smattering of XSS, SQLi, and form uploads. The Rich Counter upload vulnerability caught my eye as the PoC notes the exploit vector is through the user agent header. Given that unsanitized user input is more often exploited in query string and POST argument vectors, I thought this was worth a quick once over.
Coordinated Spam Effort
Yesterday we saw a large number of infected domains sending a massive spam run in what appeared to be a coordinated effort. Signs of a large-scale targeted effort included:
- Sharp upticks of outbound spam requests occurring at once across multiple domains
- The same script being used across disparate victims
- A large sampling of IPs submitting malicious requests (a sample has been submitted to the ISC)
Deobfuscating Multicraft’s WHMCS Module
Our good friends over at XHost.ch felt the need to obfuscate the source code for their WHMCS module. Properly-done obfuscation can make reverse engineering nontrivial (thought certainly not impossible); deobfuscating source code when the obfuscating function is provided is trivial. This obfuscation uses two parts- renaming functions and variables to nonsense characters, and encoding strings. Below is a snippet of the original encoded source:
WordPress Trivia, Part 1
I say ‘Part 1’ with no intention to write Parts 2, 3… n.
A quick Google search for ‘how many lines of code in WordPress’ came up with squat. I came up with over 350,000:
|
1 2 |
[robert@hermes wordpress]$ a=0; for i in `find . -type f`; do a=$(($a + `wc -l $i | awk '{ print $1 }'`)); done; echo $a; 364304 |
Granted, that includes the readme and license, but given the size of this codebase, there has to be some cruft, right? While I was absentmindedly perusing wp-includes/functions.php the other day I stumbled across this gem:
Verifying IPs In A Subnet In PHP
Not terribly useful, but the bitshifting was kinda fun.