WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin

An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugin's developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.org's Plugin Directory on May 31. In the meantime, security firm Sucuri says it detected numerous attacks with this zero-day, which was caused by a lack of input filtering in an image upload field that allowed attackers to upload PHP backdoors on the victim's servers with incredible ease and without any tricky workarounds. The backdoor's password is "dinamit," the Russian word for dynamite.

Developer

[turkeydance]

Jimmie Walker

Well, yeah

[AlphaBro]

This isn't really news, Wordpress plugins are notoriously insecure. It would be more surprising if someone found one that wasn't rife with vulnerabilities. Fortunately, 10,000 sites is a tiny user base compared to a lot of plugins.

Re:

[Anonymous Coward]

Try telling that to a Business head who praises how great Wordpress is and how its the only platform they consider to use. I tell all potential customers to stay away from Wordpress and if I'm asked to work with it I tell them I'm not interested in the job *.

I've administered enough cPanel servers to know the extent and damage of wild Wordpress exploits and quite frankly cannot for the life of me understand why it gets chosen as a preferred platform of use.

* Yes I like money. No I don't deal with cheapskate

"Build into" meaning "can't update"?

[raymorris]

> Given that a lot of plugins do things that a developer can build into wordpress,

It almost sounds like you're suggesting editing the core Wordpress code, meaning you can no longer update easily to get security fixes. That would, of course, be a very bad idea, especially with Wordpress since it's so dead simple to write a plugin, but write it correctly.

This particular plugin was supposed to switch themes based on whether it's a mobile device or not. Putting aside the 1999 mentality of that, it also all

Re:

[gl4ss]

something like that should be a core functionality of wordpress and if it wasn't, should be done with css pretty much.

doing it like .. say, slashdot, is an idiots way.

Yep. Slashdot classic is good at 3.5"

[raymorris]

> doing it like .. say, slashdot, is an idiots way.

Yeah funny thing is, Slashdot does it both very well and the silly way. mobile.slashdot.org is rather annoying, meaning it was a waste of time for them to build it. On the other hand, if click "use Classic" you find that the old 1990s Slashdot works pretty darn well - regardless of which device. Classic works fine on my little phone, my tablet, my giant desktop screen - mostly because it doesn't presume any particular size or resolution. It lets the

People who don't know, don't know

[raymorris]

> So then /you're/ suggesting just write a plugin, which also avoids someone else's shitty plugin's problems.

Yes, I'm saying that if you want to modify Wordpress behavior, that's best done via plugin. From a security point of view, that allows you to upgrade Wordpress as normal. Obviously there are also lots of other benefits to modules, such as plugins, over "wall of code". Excellent support for modules/plugins is a main reason that Wordpress, Apache, and many others are so popular.

Yes, obviously I pre

Re:

[Dogtanian]

This particular plugin was supposed to switch themes based on whether it's a mobile device or not. Putting aside the 1999 mentality of that

1999? Seriously? IIRC back then even regular, non-smart phones were only just starting to become truly mass market, every-man-and-his-dog items, and the mobile Internet- if you can call it that- consisted of a few devices supporting WAP [wikipedia.org], which was meant to be the next big thing but wasn't. Probably because paying per-minute charges to view an extremely limited few lines of content at a time and having to redesign your entire website to support it didn't appeal to many people.

I think you meant 2009 to 2012

WML not HTML. Aol WebTV Playstation, netbook HTML

[raymorris]

Think about the difference between HTML and PDF. We already had Postscript, HTML was invented to do something differently.

I watched people build AOL versions of their sites, and WebTV versions, Playstation versions, 800x600 and 1024x768 versions. Designing for a specific size, they may as wellbhave been using Postscript (pdf). Mine never needed any of that because it was built using html as it was intended to be used; the BROWSER'S job is to layout the page appropriately for the size of the window,

Re:

[Dogtanian]

I'm aware that WML wasn't HTML (and indeed, that WAP as a whole effectively replaced everything above the basic transport layer with a stack of its own). Hence working with mobile devices as they were then wasn't just a simple matter of theme switching (and it all became moot quite quickly when the overhyped and underdelivering WAP mostly flopped).

This theme switcher is essentially a continuation of the "mobile version of our site" tactic which became common in the early smartphone era when it became appa

Doing it wrong in 2009

[raymorris]

People did that in 2009 (and 2016), just as they used the deprecated "height" and "width" attributes. Those who did so were doing it wrong. Making a device-specific site was best practice only with wml. "Best viewed in Internet Explorer" or "best viewed on iPad" means you're doing it wrong.

Re:

[Ice Station Zebra]

Kinda like the people who fill the pot holes in the streets.

Whoa

[LordThyGod]

Over 2000 installations! Jesus F. Christ! Just think of the damage this could do.

Re:

[U2xhc2hkb3QgU3Vja3M]

There's really no danger until there's over 9000 installations.

Re:

[campuscodi]

People uninstalled it, obviously

Re:

[gl4ss]

actually it has quite a lot to do with php. first, executing uploaded scripts just willy nilly. that's one, and kind of a php/script thing compared to something else it(whole frigging) could have been written in.

second, the plugin having rights to make more executable/runnable scripts/executables.

third, kind of a php/scripting thing, for example had it been written in java, javascript(gasp) or c++ or whatever where you could/would do image resizing in memory without external scripts and such.

third, why the

Re:

[Anonymous Coward]

really this I guess is just guessing but the BIGGEST FUCKING PHP THING in it would be to execute .php files from all places if you point a GET to it. and that my friend is pretty much a "php thing". suppose it would contain java .class files in there? or .js for node or whatever? or even .sh? it should get just served up from the "cache" - NOT EXECUTED.

If you send a GET request to a random .py or .pl file, if it's inside of the document root, it gets executed too. It's not just a PHP thing no matter how much you want that to be true. Of course a .class or .sh file won't execute, there is no handler registered in the web server to execute those types of files.

Re:

[KermodeBear]

This has nothing to do with PHP itself. The issue here is a failure to sanitize input and properly check file write-out locations.

It's typical amateur hour crap that you find with any language.

Can Them All

[SumterLiving]

With 20 million+ WordPress sites out there and some are even useful and successful, the call to get rid of the platform can only be called hyperbololic drama queening. However, someone stole my wallet three days ago and all my money inside it. I also know others this has happened to over the years I have been alive. I stand before you asking for your help in making wallets and money obsolete. It's just too big of a risk for humanity to allow those two items to co-exists. Better to banish both. Stand with me

Why don't web server scripts require exec bit?

[Zaiff Urgulbunger]

Why doesn't PHP (and other web scripting languages) require the execute bit on those scripts? Surely this would make is considerably harder to inject a script.

Anyone know the reason for this because I can't be the first person to think this?!

Re:

[Zaiff Urgulbunger]

I don't think it would be a problem having PHP set it's own execute bit if it wants/needs to. A big problem seems to be with CMS-type sites where a user can upload content where (currently) miscreants can inject script. If the execute bit were required before script could be executed, then that would seem to avoid quite a lot of problems... unless a CMS were to set execute on user uploaded content, which would be dumb!

Re:

[RonVNX]

This doesn't help anything because the script they inject the code into already has the execute bit set.

Re:

[Zaiff Urgulbunger]

This doesn't help anything because the script they inject the code into already has the execute bit set.

Erm... no!

They're not uploading the script using SFTP or anything that might preserve file permissions; they're uploading using an existing, insecure, PHP script on the server. That will only allow for the file content and the file name to be preserved, so unless the PHP script explicitly set the file as executable, then it wouldn't be executable. The problem is, right now, it doesn't need to be executable in order to execute!

Re:

[RonVNX]

Erm.... yes!

They inject code right into the script that already has the execute bit set. It's not uncommon, I've seen it myself.

Re:

[Zaiff Urgulbunger]

They inject code right into the script that already has the execute bit set. It's not uncommon, I've seen it myself.

Looking at this specific example, WP Mobile Detector flaw [pluginvuln...lities.com], I can't see how that would be possible.

Just to recap (mostly for my own benefit to make sure I'm not going mad!), this flaw works by sending a URL to a vulnerable website. The vulnerable website then uses file_get_contents() [php.net] to read the file... it is assuming the file is local, but actually it's a URL to somewhere else. If the server is configured with allow_url_fopen [php.net] then file_get_contents() will perform the necessary HTTP GET to retrieve the con

Bad quoting

[KiloByte]

The password is "dinamit" not "dinamit,". That's a quite important distinction. Broken XIX-century colonial style needs to die.

Removing the Plugin Helps No One Who Has It

[RonVNX]

It just makes it no longer appear in the repository. No one gets notified the plugin is insecure, or that it has been removed from the repository at all. It just remains in 100,000 WordPress installations, unmaintained, forever.