Nmap Development mailing list archives
Re: [NSE] Backdoored wordpress plugins
From: Gutek <ange.gutek () gmail com>
Date: Thu, 23 Jun 2011 23:49:13 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 23/06/2011 20:31, Henri Doreau a écrit :
Hello, starting a thread here after discussing the subject with Djalal and Paulino. According to the Wordpress blog[1] three wordpress plugins have been backdoored recently. Thousands installations might be affected[2] and it would be very nice to have a detection script for NSE. Some information about the backdooring code is available at [3]. Code to execute is sent via the HTTP headers or cookies, making me think that simply adding entries to http-enum isn't possible for detection. We have a wordpress plugins detection script, that could run additional checks if one of these plugin is detected. http-wp-plugins.nse could also store detected plugins into the registry, to be read by detection scripts, but that might also bloat it... Another option is to write completely autonomous script(s) dedicated to detect these backdoors. This is how http-malware-host works. Regards. [1] http://wordpress.org/news/2011/06/passwords-reset [2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache [3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors
Running Wordpress blogs for years, I must say that one strong point of this blogging system is its efficiency about updates: Wordpress itself, and its installed plugins as well. If not automatic, it's just one-clic and very user friendly even for the most loose admin. For those unaware of how WP administration works, the "dashboard" (main admin panel) and a "plugins" page reminds the admin of available updates. Then, just a clic and...done. So here is my point: although being critical and massively spread, those vulnerabilities won't last long. o Most Worpress blogs should be patched in a short term o Most WP blogs admins actually often visit their admin panel: it provides stats, spam and comments management along with other usefull tasks (ie: they will be quickly aware of the available updates) That's why I think that modifying a script would mean adding a capability that would be useless in a few weeks. Plus, http-wp-plugins takes time to run (it's a dictionnary attack against more than 14K known plugins to date): this means that in, say, 3-4 weeks this script will take additionnal time with this new test, useless in 99% cases while ran every time it finds one of those maybe-affected plugins. Such a test against this vulnerability would be, I think, more efficient (or, at least, quicker) in either its own script or a malware-dedicated script. Anyway it would take seconds instead of minutes to report. My 2 cents, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4DtNkACgkQ3aDTTO0ha7iL2QCdEruHS/4c36yw342w6Ay4AYID AbwAn1mugrjCS4ToICNYLTVAkRfNHrye =7sAa -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Backdoored wordpress plugins Henri Doreau (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Gutek (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Paulino Calderon (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Gutek (Jun 23)