I saw the file yesterday, had a quick skim over it, but didn’t think too much of it. That is until WPScan team member @gbrindisi pointed out that it contained 2 WordPress plugin vulnerabilities.
WordPress plugin Asset manager upload.php Arbitrary Code Execution,25.0000,2012-06-27 12:37:03,"491",Sooraj WordPress plugin WP-Property uploadify.php Arbitrary Code Execution,25.0000,2012-06-27 12:44:25,"491",Sooraj
The vulnerability details and exploits are likely in the hands of the Inj3ct0r Team and god knows who else. We found the latest ‘asset-manager’ plugin (version 0.3) to be vulnerable and created a simple PoC. The ‘wp-property’ plugin did not contain the ‘uploadify.php’ file which is stated to be vulnerable, did they buy/sell vulnerabilities that hadn’t been verified? The ‘asset-manager’ plugin is not as popular as the ‘wp-property’ plugin and has only been downloaded ~700 times.
The ‘asset-manager’ vulnerability title states that the vulnerability lies within the ‘upload.php’ file. Taking a look at this file it is obvious to see why it is vulnerable.
WordPress 3.5 was recently released which now comes with the WordPress API “always enabled”. Personally I think this adds unnecessary risk by increasing the attack surface. How many WordPress user’s actually use the API? I would put my money on it being a very small fraction, either way I’m sure the WordPress Core Development team had good reason to enable the API by default. After spending 5 minutes looking for where to turn the API off in WordPress 3.5 I gave up. Huh, I’ll have another look sometime soon.
I’ve had a play with the API in the past, however, I’ve always found it hard to get going as the information on how to interact with the API is a bit sparse. Having played with it for an hour or so this evening I thought I’d share some of the information on how to get started (as well as a self reminder ;).
The latest API calls can be found on WordPress’s Codex here. It doesn’t list all available calls, to find these let’s extract them from the ‘wp-includes/class-wp-xmlrpc-server.php’ file.
Having completed a similar course at a different university, it is great to see that Abertay is attracting female students.
Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities
This is the paper that I submitted for my undergraduate dissertation in Ethical Hacking for Computer Security. The title (a mouth full) ‘Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities’. The paper talks about software security, modern software development, software development life cycles, static code analysis and a lot more. Since submitting it I have noticed some mistakes so I’m not putting this out there as a ‘perfect paper’.
Feel free to have a read through, I won’t be making any future amendments as I was sick of looking at it by the time I submitted it but I thought I would put it out there incase it was useful to others in learning about software security. It is a bit dry in places, be warned!
I’ve been running this blog now since November 2008. As the blog’s 4 year anniversary is approaching I thought I would share with you the 5 blog posts which have received the most hits within that time.
1. DropBox Security – 20,494 hits
2. Introducing WPScan – WordPress Security Scanner – 13,012 hits
3. Setting up Tor on BackTrack – 10,538 hits
4. WordPress Brute Force Tool – 10,017 hits
5. [Interview] The Jester – 7,475 hits
Probably not my personal top 5 blog posts but, nevertheless, the ones that get the most hits. If you would like to guest post on ethicalhack3r.co.uk in Spanish, English or French get in contact!