Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 04 Feb 2015 18:33:18 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request for Zero-day in the Fancybox-for-WordPress Plugin

http://blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html

Zero-day in the Fancybox-for-WordPress Plugin
By Daniel Cid on February 4, 2015 . 6 Comments
Our research team was alerted to a possible malware outbreak affecting
many WordPress websites. All the infections had a similar malicious
iframe from “203koko” injected into the website. We were also directed
to a forum thread where users were sharing their concerns and describing
similar issues they were experiencing.

In analyzing the infected websites, we found that all the websites were
using the fancybox-for-wordpress plugin.

Zero day in fancybox-for-wordpress

The fancybox-for-wordpress plugin is a popular WordPress plugin with
more than 550,000 downloads. There doesn’t appear to be any public
vulnerabilities being reported, which piqued our interest. To understand
how it was connected, we decided to do our own code / vulnerability review.

After some analysis, we can confirm that this plugin has a serious
vulnerability that allows for malware (or any random script/content) to
be added to the vulnerable site. Because it is currently unpatched, we
will not disclose more information.

What makes things worse, is that it’s being actively exploited in the
wild, leading to many compromised websites.

We could confirm via our Website Firewall logs by seeing many exploit
attempts blocked.

This is what the attacks looks like:

46.4.76.174 – – [04/Feb/2015:00:25:09 -0500] “POST
/wp-admin/admin-post.php?page=fancybox-for-wordpress HTTP/1.1″ 403 4207
INPUTBODY:action=update&mfbfw%5Bext.. malware payload hidden

Remove this plugin Immediately!

The plugin was just removed by the WordPress.org team from their
repository and you need to remove it from your site as well! If you
require it for specific features you really need to look at deploying
alternative security solutions to help protect your website and block
exploit attempts.

Users of our Website Firewall are already protected, but if you do not
employ a similar service and leverage this plugin consider yourself
highly vulnerable and high risk of compromise.

We will post more details about this vulnerability once we have given
time for everyone to patch (when it becomes available).

Special thanks to Konstantin Kovshenin and Gennady Kovshenin for
notifying and working with us on this issue.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.