October 24, 2016

Demonstrating WordPress exploits: WP Mobile Detector 3.5

Several months ago a very popular WordPress plugin that helps you present a mobile friendly version of your site was found to have a large security hole. The plugin had a bug in it that allowed anyone to upload and execute arbitrary files.

If you go to /wp-content/plugins/3.5/resize.php on a website with the unpatched plugin installed, the script looks for a src query parameter and copies that file path to a directory in its cache. Due to a PHP setting (allow_url_fopen), which is default on, that allows you to specify a URL as a file path, this opens the door to upload an executable PHP file to the server. Exploiting that is trivial as demonstrated in this BugReplay video.

For a little bit of background, WordPress accounts for about 26% of websites on the internet. Plugins for WordPress are bundles of source code that add functionality to your blog/site. They are installed typically by uploading a zip file through the admin panel.

You are essentially relying on third party programmers to keep your website secure when you install plugins (‘It was so simple we didn’t even have to involve the IT department. Bonus!’), and that can be a really bad idea.

If you do run WordPress, always make sure your plugins are up to date, and try to follow best practices on the server for file write permissions to minimize the impact of these kinds of exploits.