Limited Automated WP Plugin Vulnerability Scanning with wtfian

When looking through WordPress plugins, I noticed that a lot of developers seem to have issues using AJAX securely. They frequently don’t use nonces at all, they leak nonces to people they shouldn’t, and they forget to check the user’s capabilities. At first, going after the low hanging fruit (AJAX issues) of the low hanging fruit (WP plugins) was kind of fun, but it started to get boring pretty fast so I wrote a script to do it for me.

Read more

PHP Backdoor Obfuscation Techniques

When an attacker leaves behind malicious PHP after a successful compromise, they typically make some attempt to obfuscate their code. While the title of this post is “PHP Backdoor Obfuscation Techniques”, these methods are also used to obfuscate other code as well, sometimes even in a poor attempt to protect legitimate code from reverse engineering and modification. I’ve been working in an environment with a large number of LAMP servers for several years now, and I’ve seen a lot of malicious PHP. Here are some of the more common (and a few less common) obfuscation techniques I’ve seen.

Read more

Let’s Go to Fry’s!

Sometimes I have the unfortunate need (or even desire) to visit my local Fry’s Electronics (see wikipedia), a regional chain of electronics stores. Picture Best Buy, but with more computer parts and electronics, and the world’s pushiest and stupidest salesmen who get paid on commission, fake Internet price matching, really cool themed decorations that haven’t been maintained in years, horrible customer service, and just all around douche baggery. Check out how they demonstrate the “Monster Cable Difference.”

Last time I went, I took a few pictures of some interesting items I found.

Read more

Wordfence v5.2.3 – 2 Stored XSS, Insufficient Logging, Throttle Bypass, Exploit Detection Bypass

Wordfence v5.2.3 suffers from multiple vulnerabilities including 2 stored XSS, insufficient logging of requests, being able to bypass the throttling feature (designed to limit scraping) and being able to bypass the exploit detection feature. All of these appear to be the result of a lack of understanding of PHP superglobals.

Read more

WordPress Plugin Vulnerability Dump – Part 2

And we’re back. Check out Part 1 if you haven’t yet. Much like before, developers of these plugins have not been contacted in advance. These vulnerabilities were trivial to find and as you can see from these vulnerabilities and others that have been disclosed in the past few months, popular =/= secure. More vulnerabilities will be posted as time permits.

Read more

WordPress Plugin Vulnerability Dump – Part 1

This post contains information on vulnerabilities for 7 (at least somewhat) popular wordpress plugins. All of these vulnerabilities were trivial to discover (and are trivial to fix). The state of wordpress plugin security is very sad indeed. None of the developers were contacted in advance of this post (except where otherwise noted). Additional vulnerabilities will be posted as time permits.

Read more

The Many Animals of Linux – AKA WTF is a ‘Trusty Tahr’? – Part 1

Have you ever heard about a new Ubuntu release and wondered what a tahr or pangolin is? I know I have. Every Ubuntu release is given a codename that consists of an adjective and an animal name. A few other distros have have also had releases that reference animals.

I’ve scoured the Internet (by that I mean Wikipedia) to find information about these animals. I’ve picked out just the most interesting bits and paired them with pretty pictures. Let’s get started.

Ubuntu 4.10 – Warty Warthog

640px-Tarangire_Warzenschwein1

Note: does not appear to have warts

Warthogs are a member of the pig family and live in Africa. You may know them from The Lion King.

Read more

CSRF in Disqus WordPress Plugin v2.77

There are several cross site request forgery vulnerabilities in the Disqus WordPress Plugin, version 2.77. Let’s start with the technical details, then I’ll get to the commentary.

Three settings in the admin interface lack nonces. By exploiting this you can activate or deactivate the plugin, and import or export comments between your wordpress database and disqus. Example URLs:

http://wptestbox1.dev/wordpress/wp-admin/edit-comments.php?page=disqus&active=0
http://wptestbox1.dev/wordpress/wp-admin/index.php?cf_action=export_comments&post_id=0&timestamp=1408220878.213
http://wptestbox1.dev/wordpress/wp-admin/index.php?cf_action=import_comments&last_comment_id=0&wipe=1

These are all just simple GET requests. There is nothing terribly interesting in the plugin’s code related to this. It is just the simple lack of a nonce (for GET requests).

Read more

Stored XSS in WP Photo Album Plus 5.4.5

There is a (relatively minor) stored XSS vulnerability in WP Photo Album Plus (WPPA) 5.4.5. WPPA maintains its own error log. When this error log is viewed through the web interface, its output is not sanitized. Regular users that have the ability to upload files to photo galleries can cause arbitrary data to be written to the log file. An easy way to demonstrate this is to upload a zip file containing a file named: <img src="ff" onerror="alert('xss');"> When you try to import the contents of the zip file, it produces an error containing the malicious file name that is logged. Things aren’t escaped properly on the upload/import pages either, resulting in the js running after the import attempt. The lack of proper sanitization on these pages results in a reflected XSS vulnerability as well, but with double and single quotes escaped with backslashes, so you may need to fiddle with it a bit to get it to do something useful.

http://wptestbox1.dev/wordpress/wp-admin/admin.php?page=wppa_import_photos&zip=<img src="ff" onerror=alert(0);>.zip

Read more

Manually Starting or Stopping a RAID check in Linux

If you want to manually start or stop a RAID consistency check in Linux it’s quite simple.

Starting a check on md0: [email protected]:~# echo check > /sys/block/md0/md/sync_action

Stopping a check on md0: [email protected]:~# echo idle > /sys/block/md0/md/sync_action

If you’re using Debian (or a Debian based distro, e.g. Ubuntu), there is a script to do this.

Read more