Security Alert for Vistered Little Theme
Wordpress Blogs using Vistered Little are being targeted by hackers
Over the last two days the number of 404s on my site increased significantly. Further investigation revealed that attempts were being made to access unusual URLs to gain access to files they wouldn't normally have access to.
It appears the skins/common.css.php is vulnerable.
This file existing in that location in 1.6a and within the theme's root directory in 1.7.0 through to 1.7.2. This file does not exist in the current version 1.7.3.
It is strongly recommended that anyone using Vistered Little 1.6a through to 1.7.2, upgrade to 1.7.3 ASAP
Update: 2007.05.30
Apparently this exploit was discovered two days ago:
Update: 2007.05.31
Now that we've done our best to let everyone who is vulnerable know about the problem, it's time to site down and examine the exploit. Let's have a look at the offending file:
The problem is (apparently), that bit at the end
@readfile( $skin . '.css' );$skin is set from a request parameter, so by changing the request parameter you can access any file ending with '.css'. Now what this exploit tries to do is set $skin to the file they are trying to access and adding a null character at the end, so readfile ignores the '.css'. The following code is a simplifed (no request parameters) example of what they are trying to do
@readfile( "path/somefile" . pack( "@" ) . '.css'; );1
If you put this code in a php file, you'll find that it outputs the contents of "path/somefile", not "path/somefile.css".
When common.css.php is being exploited, they are trying to set $skin to "path/somefile" . pack( "@" ).
Apparently the pack( "@" ) part can be achieved by adding "%00″ after "path/somefile". Sure enough the output from
urlencode( "path/somefile" . pack( "@" ) )is "path/somefile%00″, however when I tried this with
common.css.php?skin=path/somefile%00 $skin get's set to path/somefile\0. I could not find anyway to correctly embed the null in the query string after the filename. Perhaps the L33T HaX0R Mahmood_ali2, who is credited with finding this exploit can let us know.
pack( "@" )returns a null character. [back]- why the email link? someone's got to feed the email harvesting bots [back]
Tags: Security, Vistered Little
19 comments.
More from Google 0.0.0 Released »« How to Create Resolution Independent Web Pages
Being targeted by crackers, not hackers.
Hi Jeremy, coders call themselves hackers and crackers call themselves hackers. The media call crackers hackers. I don’t know anyone but coders who call coders hackers. While in the company of other coders I call myself a hacker.
Since this post was for the general public, I chose to use the more common term for cracker, which is hacker.
I’m having issues getting mine up and running. I keep getting the following error.
Fatal error: Call to undefined function: wp_list_categories() in /www/cgi/wp/wp-content/themes/vistered-little-1/monosidebar.php on line 31
Then it won’t load the rest of the page. I usually use my own images, and even the thumbs aren’t loading. HELP!
I keep getting errors when trying to add the new theme. I’d send you a copy of the errors but I’d rather not have the world seeing them.
So what exactly is the code for the fix (or do I have to come up with a solution myself)? I don’t want to update as I have modified my design to be xhtml friendly among another things.
Hi MASA, replace
with
What file is this line of code in? I cannot find it. Thanks!
It’s in common.css.php. You won’t find it if you are using VL 1.7.3 or later.
I don’t have that file… Or did you mean the selector or property? I definitely am not using the most recent version.
If you are using 1.6 (not 1.6a) then you are safe as well
Vistered Little displays no posts - not a blank frame, nothing at all of the posts. The other elements show up fine, but nothing of posts. This is on a WP2.0.7 with PHP 5.0.4, MySQL 4 point something (if it matters, I’ll look it up) - most other themes work just fine.
Thanks Tom! That saved me from having to update and recustomize my entire theme!
Thank you for taking up this project!!
Hi Tex Long, VL 1.7.3 works with WordPress 2.1 and 2.2, not 2.0
Thanks, Tom. I shoulda thoughta that… took about 90 seconds to upgrade… and it works fine now.
Thanks again!
Next question: (probably because I’m too stoopid to find the right place and read the answer) how can I add my own backgrounds / wallpapers?
Never mind - I am stoopid… wallpapers can only be jpgs, and I was putting gifs in the directory… tried a couple of jpgs and presto!
Hey - back again. I’d love to put these questions somewhere more rational, but I’m too stoopid to find such a place… forum? help desk? here:
I’ve got a V-L 1.7.4 site operating in alpha mode on my intranet, with some employees testing access and whatnot (one goal is an event calendar, but when I was trying it the other day with ec3 and/or structured blogging, it broke the admin completely - probably an interaction in switching between themes).
What I’m commenting on here is that commenting on my blog isn’t working eith V-L 1.7.4 for some reason:
Two people have tried to leave comments and not been able to do so. I could, but then I’m logged in and they’re not, so maybe that’s one issue, but we probably want to allow un-registered commenters (or do we?).
First: it didn’t do ANYTHING after the button was clicked… no response of any sort.
Second: when the button was clicked again, it claimed that a comment had already been left (there were no other comments at the time).
Third: the comment didn’t show up.
Fourth: when one commenter left off his email, he got a message that he hadn’t entered an email address; it went back to the posting text box, which had been blanked out and he lost his entire typing session… which was several paragraphs.
Any ideas? And… where (if at all) is a better place to ask questions and report problems? I tried on the WP forum, but of course someone had to respond with “ask the author”… not overly helpful.
This is not good, if you DO want comments!
Sorry I missed you comments till now. What plugins are you using?
Regarding support for Vistered Little, please the the Vistered Little Support page. There is a link to a forum there.
[…] to update gonad.org’s WordPress theme, Vistered Little, to the newest version. There was an evil security flaw in the version I had been using, though I’m nearly a year behind in noticing […]