[wp-hackers] [Full-disclosure] Possible Code Execution vulnerability in WordPress ?

Marc Manthey marc at let.de
Sun Jul 3 15:21:52 UTC 2011 

On Jul 3, 2011, at 2:43 PM, Chip Bennett wrote:

> The Hackers list is not the first, or best, audience for this type of
> message. You should email security at wordpress.org directly if you  
> believe you
> have discovered evidence of a vulnerability or an exploit vector.
>
> Also, be sure to read the Hardening WordPress entry in the Codex:
> http://codex.wordpress.org/Hardening_WordPress
>
>

thanks , but  they do nothing else then set the ticket to "invalid" ?

http://core.trac.wordpress.org/ticket/17969#comment:4

and dont respond on emails ?

Marc


>
> On Sun, Jul 3, 2011 at 6:33 AM, Marc Manthey <marc at let.de> wrote:
>
>> hello list,
>>
>> i am using wordpress since 2 years without any trouble, update  
>> regulary ,
>> but last friday, i got a mail from my hoster
>> that someone "uploaded" a phishing script into my "upload folder"  
>> after i
>> found out that the "contact form" module might cause
>> the problem because i allways found a "wpcf7_captcha" directory in my
>> "upload folder , i removed the module and all when fine.
>>
>> Today i ve got another mail from rsa.com  that the same script is  
>> still on
>> my site just in a "theme" folder.
>> I  looked into the installed "phishing script"
>> http://www.2shared.com/file/**M9zwMVr5/www1royalbankcom.html<http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html 
>> >
>> it seems everything is loaded from https://www1.royalbank.com/  for
>> example
>> https://www1.royalbank.com/**common/images/english/ 
>> logo_**rbc_rb.gif<https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif 
>> > < but this is not the original banking site !!
>>
>> Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when  
>> i try
>> http://www.royalbank.com it redirects me to the original banking  
>> site at
>>
>> http://www.rbcroyalbank.com  !!!!
>>
>> After  i searched for some information , i found this on the full
>> disclosure list , and i am a bit  concerned now....
>>
>> [Full-disclosure]       Code Execution vulnerability in WordPress
>> http://seclists.org/**fulldisclosure/2011/Apr/535<http://seclists.org/fulldisclosure/2011/Apr/535 
>> >
>>
>> any idea what todo ?
>>
>> cheers
>>
>>
>> Marc
>>
>>
>>>>
>>>> -------- Original Message --------
>>>> Subject:        Fraudulent site, please shut down! [RBC 11266] IP:
>>>> 91.184.33.25 Domain: let.de
>>>> Date:   Sun, 3 Jul 2011 02:33:05 +0300
>>>> From:   <afcc at rsa.com>
>>>> To:     <abuse at speedpartner.de>
>>>> CC:     <metz at speedpartner.de>
>>>>
>>>>
>>>>

--  Les enfants teribbles - research / deployment
Marc Manthey- Vogelsangerstrasse 97
50823 Köln - Germany
Tel.:0049-221-29891489
Mobil:0049-1577-3329231
blog: http://let.de
twitter: http://twitter.com/macbroadcast/
facebook : http://opencu.tk

More information about the wp-hackers mailing list