WordTube vulnerability broke my server
Omar | 13. Mai 2007
Today i woke up and upon checking my mail discovered that my server has gone down. A quick ps aux revealed some concealed processes running as ‘httpd’ but actually running some perl script. The apache2 process wasn’t running any more. After killing the intruding processes i could start apache, but of course i wanted to find out, what went wrong.
Looking through the log files i found someone trying to access /wp-content/plugins/wordtube/wordtube-button.php?wpPath=[someurl]
Turns out, wordtube was exploitable. I finally found the exploit in heise.de:
Three plugins for the popular Blog-Software Wordpress introduce a vulnerability to the system. There are security holes in myFlash, wordTube and wp-Table, whom a attacker can use to include his own php-scripts and run them with the privileges of the webserver. All three plugins are written by the same developer.
The problem in the plugins is the handling of the argument wppath in the files wordtube-button.php, js/wptable-button.php and myflash-button.php. All wordTube and wp-Table versions up until 1.4.3, myFlash versions up until 1.10 are affected. The errors have been fixed in the respective versions 1.4.4 and 1.11. All users should download the newest versions asap.
