A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability.
WP Mobile Detector was pulled from the WordPress Plugin Directory once the attacks went public. It was restored last night and users are urged to update to version 3.7 immediately. The plugin detects if a visitor to a WordPress site is using a smartphone and delivers a compatible theme.
May 10, 2016 , 9:00 am
April 11, 2016 , 9:19 am
February 19, 2016 , 4:35 pm
Researchers at Sucuri said yesterday that attacks against WordPress sites running the plugin started on May 27. The zero-day was disclosed on Tuesday by Plugin Vulnerabilities, a WordPress security site. The flaw allows an attacker to upload arbitrary files.
Plugin Vulnerabilities said exploits against the zero-day are difficult because it requires the allow_url_fopen option to be enabled; this is not the default configuration.
“Since having allow_url_fopen enabled can lead to this type of issue it looks like this is not enabled at many web host (you can check if that is enabled with the phpinfo() function,” Plugin Vulnerabilities said in its advisory .
Sucuri said that attacks are moving in porn-related spam campaigns.
“The vulnerability is very easy to exploit, all the attacker needs to do is send a request toresize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL,” Sucuri researcher Douglas Santos wrote in an advisory .
Santos said the zero-day was trivial to exploit, and that the plugin suffered because it failed to validate and sanitize input from sources.
“No security checks are performed and an attacker can feed the src variable with malicious PHP code,” Santos said.
Santos said most of the sites Sucuri saw under attack were infected with backdoors dropped by porn-related spam.
“You can usually find the gopni3g directory in the site root, that containsstory.php (doorway generator script), .htaccess and subdirectories with spammy files and templates,” he said, adding that victims are redirected to hxxp://bipaoeity[.]in/for/77?d=.