Fancybox for WordPress – Zero Day and Broken Patch

A malicious iframe has been making its rounds due to a broken non-existent security check in the admin section of the Fancybox for WordPress plugin. Samples of affected sites indicate the vulnerability is being used to initiate a drive-by download targeting MSIE browsers (potentially targeting a recently-announced unpatched IE exploit?). The plugin exploit vector results from poor handling of unauthenticated requests to the plugin’s admin options page (taken from fancybox.php):

Continue reading

WordPress Trivia, Part 2

Oh, crap, I did it again.

WordPress core will send headers that prevent caching by browsers and RFC-compliant reverse proxies (like Ledge) when a user is logged in, or an error (such as 404) is returned. These headers are defined in wp-includes/functions.php:

Nothing crazy. But what’s so special about January 11, 1984? Beats me, I wasn’t alive then. But we have the Internet (and copious amounts of free time while I’m stuck on a graveyard rotation)!

Continue reading

Spectacularly Bad

Another round of notable WordPress plugin vulnerabilities made the rounds today- nothing particular noteworthy, just a smattering of XSS, SQLi, and form uploads. The Rich Counter upload vulnerability caught my eye as the PoC notes the exploit vector is through the user agent header. Given that unsanitized user input is more often exploited in query string and POST argument vectors, I thought this was worth a quick once over.

Continue reading

Brute Force Uptick

Okay, so just to clarify, am I actually breaking this news? No. Definitely not. But my automated log scanner picked up a jump in malicious activity yesterday on my network, so it’s worth taking a closer look. First, we see the jump in numbers:

Note that addresses have been lazily obfuscated but do not actually belong to the same class C, though some do share common ASNs (and some do indeed share a common class C). Wonderful, so let’s take a look at the log itself (a small sample is presented below for brevity):

Continue reading

WordPress Trivia, Part 1

I say ‘Part 1’ with no intention to write Parts 2, 3… n.

A quick Google search for ‘how many lines of code in WordPress’ came up with squat. I came up with over 350,000:

Granted, that includes the readme and license, but given the size of this codebase, there has to be some cruft, right? While I was absentmindedly perusing wp-includes/functions.php the other day I stumbled across this gem:

Continue reading