The plugin FL3R User Agent Comments is vulnerable to a stored XSS attack that allows for arbitrary Javascript execution in the context of the admin dashboard, as well as injection into any page which displays comments.
wordpress
Fancybox for WordPress – Zero Day and Broken Patch
A malicious iframe has been making its rounds due to a broken non-existent security check in the admin section of the Fancybox for WordPress plugin. Samples of affected sites indicate the vulnerability is being used to initiate a drive-by download targeting MSIE browsers (potentially targeting a recently-announced unpatched IE exploit?). The plugin exploit vector results from poor handling of unauthenticated requests to the plugin’s admin options page (taken from fancybox.php):
Fake Googlebot WordPress Login Bruteforce
… sigh.
A few hours ago we started seeing an interesting trend. A highly distributed set of clients is attempting to authenticate to WordPress sites using a very distinct pattern. Captures and initial analysis below.
WordPress Trivia, Part 2
Oh, crap, I did it again.
WordPress core will send headers that prevent caching by browsers and RFC-compliant reverse proxies (like Ledge) when a user is logged in, or an error (such as 404) is returned. These headers are defined in wp-includes/functions.php:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
999 /** 1000 * Get the header information to prevent caching. 1001 * 1002 * The several different headers cover the different ways cache prevention 1003 * is handled by different browsers 1004 * 1005 * @since 2.8.0 1006 * 1007 * @return array The associative array of header names and field values. 1008 */ 1009 function wp_get_nocache_headers() { 1010 $headers = array( 1011 'Expires' => 'Wed, 11 Jan 1984 05:00:00 GMT', 1012 'Cache-Control' => 'no-cache, must-revalidate, max-age=0', 1013 'Pragma' => 'no-cache', 1014 ); |
Nothing crazy. But what’s so special about January 11, 1984? Beats me, I wasn’t alive then. But we have the Internet (and copious amounts of free time while I’m stuck on a graveyard rotation)!
Spectacularly Bad
Another round of notable WordPress plugin vulnerabilities made the rounds today- nothing particular noteworthy, just a smattering of XSS, SQLi, and form uploads. The Rich Counter upload vulnerability caught my eye as the PoC notes the exploit vector is through the user agent header. Given that unsanitized user input is more often exploited in query string and POST argument vectors, I thought this was worth a quick once over.
More WordPress XMLRPC Brute Force Attacks
If I never see this file again, it might be too soon.
We’re seeing an uptick in requests to xmlrpc.php, the API endpoint for WordPress. The wp.getUsersBlogs method is being hit across a large number of domains; I managed to grab a series of request payloads:
Obligatory InfoSec Blog Heartbleed Post
Too lazy to write anything else. You know what to do.
Brute Force Uptick
Okay, so just to clarify, am I actually breaking this news? No. Definitely not. But my automated log scanner picked up a jump in malicious activity yesterday on my network, so it’s worth taking a closer look. First, we see the jump in numbers:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ grep wp-login access.log-20140330 | awk '{ print $1 }' | sort | uniq -c | sort -n 2 X.X.X.197 5 X.X.X.122 5 X.X.X.219 5 X.X.X.98 5 X.X.X.114 5 X.X.X.37 8 X.X.X.159 10 X.X.X.226 10 X.X.X.36 10 X.X.X.160 11 X.X.X.141 15 X.X.X.49 15 X.X.X.12 15 X.X.X.15 20 X.X.X.127 35 X.X.X.101 $ grep wp-login access.log-20140329 | awk '{ print $1 }' | sort | uniq -c | sort -n 2 X.X.X.249 $ grep wp-login access.log-20140328 | awk '{ print $1 }' | sort | uniq -c | sort -n 1 X.X.X.196 |
Note that addresses have been lazily obfuscated but do not actually belong to the same class C, though some do share common ASNs (and some do indeed share a common class C). Wonderful, so let’s take a look at the log itself (a small sample is presented below for brevity):
WordPress Trivia, Part 1
I say ‘Part 1’ with no intention to write Parts 2, 3… n.
A quick Google search for ‘how many lines of code in WordPress’ came up with squat. I came up with over 350,000:
|
1 2 |
[robert@hermes wordpress]$ a=0; for i in `find . -type f`; do a=$(($a + `wc -l $i | awk '{ print $1 }'`)); done; echo $a; 364304 |
Granted, that includes the readme and license, but given the size of this codebase, there has to be some cruft, right? While I was absentmindedly perusing wp-includes/functions.php the other day I stumbled across this gem: