Date: Wed, 04 Feb 2015 18:33:18 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Assign a CVE Identifier <cve-assign@...re.org> Subject: CVE request for Zero-day in the Fancybox-for-WordPress Plugin http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html Zero-day in the Fancybox-for-WordPress Plugin By Daniel Cid on February 4, 2015 . 6 Comments Our research team was alerted to a possible malware outbreak affecting many WordPress websites. All the infections had a similar malicious iframe from “203koko” injected into the website. We were also directed to a forum thread where users were sharing their concerns and describing similar issues they were experiencing. In analyzing the infected websites, we found that all the websites were using the fancybox-for-wordpress plugin. Zero day in fancybox-for-wordpress The fancybox-for-wordpress plugin is a popular WordPress plugin with more than 550,000 downloads. There doesn’t appear to be any public vulnerabilities being reported, which piqued our interest. To understand how it was connected, we decided to do our own code / vulnerability review. After some analysis, we can confirm that this plugin has a serious vulnerability that allows for malware (or any random script/content) to be added to the vulnerable site. Because it is currently unpatched, we will not disclose more information. What makes things worse, is that it’s being actively exploited in the wild, leading to many compromised websites. We could confirm via our Website Firewall logs by seeing many exploit attempts blocked. This is what the attacks looks like: 184.108.40.206 – – [04/Feb/2015:00:25:09 -0500] “POST /wp-admin/admin-post.php?page=fancybox-for-wordpress HTTP/1.1″ 403 4207 INPUTBODY:action=update&mfbfw%5Bext.. malware payload hidden Remove this plugin Immediately! The plugin was just removed by the WordPress.org team from their repository and you need to remove it from your site as well! If you require it for specific features you really need to look at deploying alternative security solutions to help protect your website and block exploit attempts. Users of our Website Firewall are already protected, but if you do not employ a similar service and leverage this plugin consider yourself highly vulnerable and high risk of compromise. We will post more details about this vulnerability once we have given time for everyone to patch (when it becomes available). Special thanks to Konstantin Kovshenin and Gennady Kovshenin for notifying and working with us on this issue. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ