Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-09-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Wordpress Plugins Playground

Published: 2015-09-14
Last Updated: 2015-09-14 11:55:12 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

This morning, I had a quick look at my web server log file and searched for malicious activity. Attacks like brute-force generate a lot of entries and thus can be easily detected. Other scanners are working below the radar and search for very specific vulnerabilities. In this case, a single request is often sent to the server and generate a simple 404 error without triggering any alert. My blog being based on the Wordpress CMS, I searched for non HTTP/200 hits for plugins URLs ("/wp-content/plugins/")

CMS or “Content Management Systems” became vey popular today. It's easy to deploy a WordPress, Drupal or Joomla on top of a UNIX server. They exist also shared platforms which offer you some online space. If a CMS is delivered with standard options, it is easy for the owner to customize or to tune it.. just like cars. Modern CMS offer a way to extend the features or the look’n’feel via plugins (or add-ons or extensions).

From a security perspective, plugins are today the weakest point of a CMS. If most of the CMS source code is regularly audited and well maintained. It’s not the same for their plugins. By deploying and using a plugin, you install third-party code into your website and grant some rights to it.  Not all plugins are developed by skilled developers or with security in mind. Today, most vulnerabilities reported in CMS environment are due to … plugins!

Based on my logs, here are some stats for the last 3 months:

  • 8000+ hits for uninstalled/non-existent plugins
  • 899 unique plugins tested (list)

Just for information, here is my Top-20 of tested Wordpress plugins:

Plugin Name Count
revslider (1) 2084
wp-symposium 735
showbiz 701
easy-fancybox 542
newsletter 390
videowhisper-video-conference-integration 367
reflex-gallery 357
videowhisper-video-presentation 328
wysija-newsletters 295
player 288
uploadify 273
social 267
google-mp3-audio-player 203
uploader 197
wp-email 165
dzs-zoomsounds 143
easy-social-media 137
backup 132
simple-ads-manager 130
wp-filemanager 121

(1) Very popular exploit in the wild for a while

If you run your own CMS, here are some security tips regarding the use of plugins:

  • Only install plugins that your really need.
  • Some plugins can be configured. Always review the default settings and adapt them to your environment and security requirements
  • When you tested a plugin and if you decide to not use it, disable and un-install it completely.
  • If the popularity is a plugin is a good indicator, do not trust them! (Popularity != Security)
  • Like any piece of software, update them
  • Take a deep breath and jump into the code to have a quick code review (any backdoor installed?)
  • WordPress has an hardening guide with good recommendations.

As a general advice regarding 4xx HTTP errors, do not implement checks for single errors but search for multiple 4xx (or 5xx) errors generated in a short amount of time from a single IP address. This is helpful to detect ongoing scans! (a log management solution can do that very easily)

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
1 comment(s)
Diary Archives