Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin (softpedia.com)

Posted by BeauHD on from the man-your-battle-stations dept.

An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugin's developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.org's Plugin Directory on May 31. In the meantime, security firm Sucuri says it detected numerous attacks with this zero-day, which was caused by a lack of input filtering in an image upload field that allowed attackers to upload PHP backdoors on the victim's servers with incredible ease and without any tricky workarounds. The backdoor's password is "dinamit," the Russian word for dynamite.

50 comments

  1. Developer by turkeydance · · Score: 1

    Jimmie Walker

  2. Well, yeah by AlphaBro · · Score: 1, Insightful

    This isn't really news, Wordpress plugins are notoriously insecure. It would be more surprising if someone found one that wasn't rife with vulnerabilities. Fortunately, 10,000 sites is a tiny user base compared to a lot of plugins.

    1. Re:Well, yeah by Anonymous Coward · · Score: 2, Interesting

      Try telling that to a Business head who praises how great Wordpress is and how its the only platform they consider to use. I tell all potential customers to stay away from Wordpress and if I'm asked to work with it I tell them I'm not interested in the job *.

      I've administered enough cPanel servers to know the extent and damage of wild Wordpress exploits and quite frankly cannot for the life of me understand why it gets chosen as a preferred platform of use.

      * Yes I like money. No I don't deal with cheapskates that choose to cut corners.

    2. Re:Well, yeah by Anonymous Coward · · Score: 0

      Based on TFS it sounds like there was a substantial lead time for anyone keeping an eye on security issues related to plugins they use.
      Given that a lot of plugins do things that a developer can build into wordpress, there should be few plugins per install.

    3. Re:Well, yeah by Anonymous Coward · · Score: 0

      for anyone keeping an eye on security issues related to plugins they use.

      And the number of people doing that is pretty close to zero.

  3. Whoa by LordThyGod · · Score: 2

    Over 2000 installations! Jesus F. Christ! Just think of the damage this could do.

    1. Re:Whoa by U2xhc2hkb3QgU3Vja3M · · Score: 2

      There's really no danger until there's over 9000 installations.

    2. Re:Whoa by campuscodi · · Score: 1

      People uninstalled it, obviously

    3. Re: Whoa by Anonymous Coward · · Score: 0

      Over 9000?!?

    4. Re:Whoa by Anonymous Coward · · Score: 0

      OMG.. won't somebody please think of the cat pictures!

  4. So not new 0-day by Anonymous Coward · · Score: 0

    More like 7-day.

  5. Re:Uhhhhhhhh by Anonymous Coward · · Score: 0

    It's PHP. What do you expect?

  6. free.. huh? lol by Anonymous Coward · · Score: 0

    I knew it! hahahah there's always a catch! HEUHEUEUH ^_^
    it's friday, so here's a picture of my penis, seen from space--> -:

  7. "Build into" meaning "can't update"? by raymorris · · Score: 1

    > Given that a lot of plugins do things that a developer can build into wordpress,

    It almost sounds like you're suggesting editing the core Wordpress code, meaning you can no longer update easily to get security fixes. That would, of course, be a very bad idea, especially with Wordpress since it's so dead simple to write a plugin, but write it correctly.

    This particular plugin was supposed to switch themes based on whether it's a mobile device or not. Putting aside the 1999 mentality of that, it also allowed admins to upload images. It was the upload that got them into trouble. Upload often gets people in trouble because doing it securely is more difficult than it first appears.

    Top ways scripts get owned (avoid these things or be very careful, maybe get an expert to spend a few minutes reviewing these parts of the code):
    Uploading files
    Running external programs (imagemagick, etc)
    Sending email
    DOWNLOADING files, often download.php is written for videos.

    Of the above, the email one has two pretty easy ways to avoid most hacks. A) Let the user choose WHERE to send the email to, OR something in the body of the email (sent to the webmaster). Never let them enter both a To address and any part of the message. B) Use well-vetted modules, don't pope directly to sendmail.

    1. Re:"Build into" meaning "can't update"? by Anonymous Coward · · Score: 0

      Same AC.

      So then /you're/ suggesting just write a plugin, which also avoids someone else's shitty plugin's problems.

      You're also attacking the core functionality of the plugin, so is the story here "plugin built to solve problems in foolish way was designed poorly" ?

    2. Re:"Build into" meaning "can't update"? by Anonymous Coward · · Score: 0

      This particular plugin was supposed to switch themes based on whether it's a mobile device or not. Putting aside the 1999 mentality of that

      No.

      No "putting it aside".

      It's the problem. Allowing this sort of retarded fuckery to exist in the first place is the number one reason why WordPress is a cancer that needs to die immediately.

    3. Re:"Build into" meaning "can't update"? by gl4ss · · Score: 1

      something like that should be a core functionality of wordpress and if it wasn't, should be done with css pretty much.

      doing it like .. say, slashdot, is an idiots way.

      --
      world was created 5 seconds before this post as it is.
    4. Re:"Build into" meaning "can't update"? by Dogtanian · · Score: 1

      This particular plugin was supposed to switch themes based on whether it's a mobile device or not. Putting aside the 1999 mentality of that

      1999? Seriously? IIRC back then even regular, non-smart phones were only just starting to become truly mass market, every-man-and-his-dog items, and the mobile Internet- if you can call it that- consisted of a few devices supporting WAP, which was meant to be the next big thing but wasn't. Probably because paying per-minute charges to view an extremely limited few lines of content at a time and having to redesign your entire website to support it didn't appeal to many people.

      I think you meant 2009 to 2012, i.e. the point at which smartphones were getting popular enough to warrant mobile-specific versions of sites, but before increasingly disparate screen dimensions and the development of responsive design rendered the concept obsolete.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  8. Non-argument by Anonymous Coward · · Score: 0

    Of course you can write PHP in any language. Doesn't mean you should. Or that it's a valid excuse for your use of PHP.

    Using PHP means you're not even trying. That itself ought to be culpable.

  9. If it had been "dynamite" by Anonymous Coward · · Score: 0

    could we then go ahead and blame the U.S for it, or why not Ireland? The last sentence is a pathetic and desperate attempt at blaming Russia for some malware.

    1. Re:If it had been "dynamite" by Anonymous Coward · · Score: 0

      blame the U.S for it, or why not Ireland?

      Blame Canada

  10. are you mad by Anonymous Coward · · Score: 0

    cuz wordpres took your job?

    1. Re:are you mad by Anonymous Coward · · Score: 0

      Erm ... No. But on the flip side, security flaws in Wordpress is what keeps me employed but thanks for your concern :)

    2. Re:are you mad by Ice+Station+Zebra · · Score: 1

      Kinda like the people who fill the pot holes in the streets.

    3. Re: are you mad by Anonymous Coward · · Score: 0

      No, more like tear up the old busted road and replace it with a band new 4 lane highway. While the guy who recommended to use poorly manufactured materials in the first place loses creditability for future business.

  11. Re:Uhhhhhhhh by gl4ss · · Score: 1

    actually it has quite a lot to do with php. first, executing uploaded scripts just willy nilly. that's one, and kind of a php/script thing compared to something else it(whole frigging) could have been written in.

    second, the plugin having rights to make more executable/runnable scripts/executables.

    third, kind of a php/scripting thing, for example had it been written in java, javascript(gasp) or c++ or whatever where you could/would do image resizing in memory without external scripts and such.

    third, why the fuck is the upload directory("cache" ???) accessible in any way to outsiders? the readable directory, if it needed such, should only have contained the converted images - and even then it would have been better to have them served through something else than just a fucking directory.

    really this I guess is just guessing but the BIGGEST FUCKING PHP THING in it would be to execute .php files from all places if you point a GET to it. and that my friend is pretty much a "php thing". suppose it would contain java .class files in there? or .js for node or whatever? or even .sh? it should get just served up from the "cache" - NOT EXECUTED.

    "The team at Plugin Vulnerabilities has discovered that the plugin features an arbitrary file upload vulnerability in the "/wp-content/plugins/wp-mobile-detector/resize.php" file.

    This file handles image uploads, and according to the researchers who discovered the security bug, it lacks basic input filtering, allowing an attacker to pass a malicious file that gets uploaded to the plugin's /cache directory.

    Using this vulnerability, attackers can upload PHP-based backdoors on WordPress sites, something that should have been almost impossible in 2016, after almost two decades of PHP coding and basic lessons in file upload security."

    --
    world was created 5 seconds before this post as it is.
  12. Php by Anonymous Coward · · Score: 0

    Who even wants to deal with that impending security nightmare?

    If it's not bugs in php itself, it's dumbass plugin programmers.

    While I do run php, it's not public facing.

    Fuck that for a joke.

  13. Re:Uhhhhhhhh by KermodeBear · · Score: 2

    This has nothing to do with PHP itself. The issue here is a failure to sanitize input and properly check file write-out locations.

    It's typical amateur hour crap that you find with any language.

    --
    Love sees no species.
  14. Re:Uhhhhhhhh by Anonymous Coward · · Score: 0

    I prefer to save uploaded file outside of document root and when a user can access the data, I file_put_contents to browser. So it is not PHP issue but of those f**king retarded lazy coders. So your saying is bullshit and you're an ignorant person. OK?

  15. People who don't know, don't know by raymorris · · Score: 1

    > So then /you're/ suggesting just write a plugin, which also avoids someone else's shitty plugin's problems.

    Yes, I'm saying that if you want to modify Wordpress behavior, that's best done via plugin. From a security point of view, that allows you to upgrade Wordpress as normal. Obviously there are also lots of other benefits to modules, such as plugins, over "wall of code". Excellent support for modules/plugins is a main reason that Wordpress, Apache, and many others are so popular.

    Yes, obviously I prefer to not have shitty code, in a plugin or anywhere else. After 20 years of professional programming, I've become a bit picky actually. There's not much truly high-quality code written, but we can avoid really crappy code.

    > you're also attacking the core functionality of the plugin, so is the story here "plugin built to solve problems in foolish way was designed poorly" ?

    Maybe people who don't know much, don't know much. :)
    I'm kinda kidding there. People who own web sites sometimes ask for this kind of functionallity. This plugin gave them what they asked for. Maybe allowing the web browser to do it's job and render the page appropriately for the device would have given them what they actually wanted, but the plugin gave them what they asked for, I suppose.

  16. Yep. Slashdot classic is good at 3.5" by raymorris · · Score: 1

    > doing it like .. say, slashdot, is an idiots way.

    Yeah funny thing is, Slashdot does it both very well and the silly way. mobile.slashdot.org is rather annoying, meaning it was a waste of time for them to build it. On the other hand, if click "use Classic" you find that the old 1990s Slashdot works pretty darn well - regardless of which device. Classic works fine on my little phone, my tablet, my giant desktop screen - mostly because it doesn't presume any particular size or resolution. It lets the browser handle that.

  17. Re:Uhhhhhhhh by Anonymous Coward · · Score: 0

    This whole sanitizing of inputs nonsense is largely exclusive to the way PHP works.

    https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

    "PHP’s poor security reputation is largely because it will take arbitrary data from one language and dump it into another. This is a bad idea. "" may not mean anything in SQL, but it sure does in HTML.

    Making this worse is the common cry for “sanitizing your inputs”. That’s completely wrong; you can’t wave a magic wand to make a chunk of data inherently “clean”. What you need to do is speak the language: use placeholders with SQL, use argument lists when spawning processes, etc.

    PHP outright encourages “sanitizing”: there’s an entire data filtering extension for doing it."

  18. Can Them All by SumterLiving · · Score: 1

    With 20 million+ WordPress sites out there and some are even useful and successful, the call to get rid of the platform can only be called hyperbololic drama queening. However, someone stole my wallet three days ago and all my money inside it. I also know others this has happened to over the years I have been alive. I stand before you asking for your help in making wallets and money obsolete. It's just too big of a risk for humanity to allow those two items to co-exists. Better to banish both. Stand with me?

    1. Re:Can Them All by Anonymous Coward · · Score: 0

      With 20 million+ WordPress sites out there and some are even useful and successful, the call to get rid of the platform can only be called hyperbololic drama queening. However, someone stole my wallet three days ago and all my money inside it. I also know others this has happened to over the years I have been alive. I stand before you asking for your help in making wallets and money obsolete. It's just too big of a risk for humanity to allow those two items to co-exists. Better to banish both. Stand with me?

      Your straw an response is just as hyperbolic.

      Clearly, there is a place for a WP like CMS platform. That doesn't mean the world has to tolerate a pile of crap platform that breeds aggravation and wastes untold millions of hours (literally!).

  19. WML not HTML. Aol WebTV Playstation, netbook HTML by raymorris · · Score: 1

    Think about the difference between HTML and PDF. We already had Postscript, HTML was invented to do something differently.

      I watched people build AOL versions of their sites, and WebTV versions, Playstation versions, 800x600 and 1024x768 versions. Designing for a specific size, they may as wellbhave been using Postscript (pdf). Mine never needed any of that because it was built using html as it was intended to be used; the BROWSER'S job is to layout the page appropriately for the size of the window, the screen resolution, user's font size preferences, etc. My html declared what should be on the page, not how many pixels wide it should be.

    The WML and WAP stage was the exception - WML isn't html. It was a different language for feature phones. Smart phones, including the early iphones, could handle the same html that worked on the desktop, on AOL, on WebTV, and on Playstation. (If you used width attributes, which were legal for a only a few months before being deprecated, your html would be problematic everywhere. Even on a "standard" 1024x768 desktop the window wasn't always full size.

    So yeah, the year or two of WML and WAP was the time it made sense to have a device-specific web site.

  20. Re:Uhhhhhhhh by Anonymous Coward · · Score: 1

    really this I guess is just guessing but the BIGGEST FUCKING PHP THING in it would be to execute .php files from all places if you point a GET to it. and that my friend is pretty much a "php thing". suppose it would contain java .class files in there? or .js for node or whatever? or even .sh? it should get just served up from the "cache" - NOT EXECUTED.

    If you send a GET request to a random .py or .pl file, if it's inside of the document root, it gets executed too. It's not just a PHP thing no matter how much you want that to be true. Of course a .class or .sh file won't execute, there is no handler registered in the web server to execute those types of files.

  21. Why don't web server scripts require exec bit? by Zaiff+Urgulbunger · · Score: 1

    Why doesn't PHP (and other web scripting languages) require the execute bit on those scripts? Surely this would make is considerably harder to inject a script.

    Anyone know the reason for this because I can't be the first person to think this?!

    1. Re:Why don't web server scripts require exec bit? by Anonymous Coward · · Score: 0

      Wordpress can (and should) be enabled to do its own security updates. (Seriously: WP.org installations routinely patch _millions of computers, automatically; it's a very good thing).

      So WP itself would need to be granted the ability to set the executable bit, which more or less renders the protection invalid.

      Granted, WP could be architected to require the update process to run with different permissions, but this would end the simplicity of it all.

      It seems to me it would be sensible if there were two kinds of PHP file extensions: php and plb; the latter being for library code that can only be executed by 'required' by another script. This would close a lot of holes where code is snuck into a plugin but then run outside of wordpress.

      All said, WP is an impressive product and these vulnerabilities are becoming _less_ common (but more public). And WP.org have the ability to issue patches for third party plugins themselves -- they've done so several times.

      Hate bad plugin and theme authors -- and shame them into being better -- but the hate on WP core is unwarranted.

    2. Re:Why don't web server scripts require exec bit? by Zaiff+Urgulbunger · · Score: 1

      I don't think it would be a problem having PHP set it's own execute bit if it wants/needs to. A big problem seems to be with CMS-type sites where a user can upload content where (currently) miscreants can inject script. If the execute bit were required before script could be executed, then that would seem to avoid quite a lot of problems... unless a CMS were to set execute on user uploaded content, which would be dumb!

    3. Re:Why don't web server scripts require exec bit? by RonVNX · · Score: 1

      This doesn't help anything because the script they inject the code into already has the execute bit set.

    4. Re:Why don't web server scripts require exec bit? by Zaiff+Urgulbunger · · Score: 1

      This doesn't help anything because the script they inject the code into already has the execute bit set.

      Erm... no!

      They're not uploading the script using SFTP or anything that might preserve file permissions; they're uploading using an existing, insecure, PHP script on the server. That will only allow for the file content and the file name to be preserved, so unless the PHP script explicitly set the file as executable, then it wouldn't be executable. The problem is, right now, it doesn't need to be executable in order to execute!

    5. Re:Why don't web server scripts require exec bit? by RonVNX · · Score: 1

      Erm.... yes!

      They inject code right into the script that already has the execute bit set. It's not uncommon, I've seen it myself.

    6. Re:Why don't web server scripts require exec bit? by Zaiff+Urgulbunger · · Score: 1

      They inject code right into the script that already has the execute bit set. It's not uncommon, I've seen it myself.

      Looking at this specific example, WP Mobile Detector flaw, I can't see how that would be possible.

      Just to recap (mostly for my own benefit to make sure I'm not going mad!), this flaw works by sending a URL to a vulnerable website. The vulnerable website then uses file_get_contents() to read the file... it is assuming the file is local, but actually it's a URL to somewhere else. If the server is configured with allow_url_fopen then file_get_contents() will perform the necessary HTTP GET to retrieve the contents of that file. The file still needs to be written to disk, which in this case is performed by file_put_contents().

      None of the above is going to set the execute bit.

  22. Bad quoting by KiloByte · · Score: 1

    The password is "dinamit" not "dinamit,". That's a quite important distinction. Broken XIX-century colonial style needs to die.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  23. Re:WML not HTML. Aol WebTV Playstation, netbook HT by Dogtanian · · Score: 1

    I'm aware that WML wasn't HTML (and indeed, that WAP as a whole effectively replaced everything above the basic transport layer with a stack of its own). Hence working with mobile devices as they were then wasn't just a simple matter of theme switching (and it all became moot quite quickly when the overhyped and underdelivering WAP mostly flopped).

    This theme switcher is essentially a continuation of the "mobile version of our site" tactic which became common in the early smartphone era when it became apparent that some sites weren't well-suited to phone use. Yes, I know that post-iPhone smartphones support HTML natively, but a lot of mid-to-late noughties site layouts assumed a large-ish screen and didn't look good on phones.

    That is, it's more 2009 than 1999.

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  24. Doing it wrong in 2009 by raymorris · · Score: 1

    People did that in 2009 (and 2016), just as they used the deprecated "height" and "width" attributes. Those who did so were doing it wrong. Making a device-specific site was best practice only with wml. "Best viewed in Internet Explorer" or "best viewed on iPad" means you're doing it wrong.

  25. Removing the Plugin Helps No One Who Has It by RonVNX · · Score: 1

    It just makes it no longer appear in the repository. No one gets notified the plugin is insecure, or that it has been removed from the repository at all. It just remains in 100,000 WordPress installations, unmaintained, forever.