Could this Iframe be part of a plugin trojan?

  • SnorkleZ

    (@snorklez)


    9 years, 6 months ago

    After using a few new plugins my wp-config.php had ha added at the very beginning and the entire file had been written in Windows format (I had to remove all of the CR’s so that BBEdit would display it correctly since I use OSX.

    This is on my local server running under MAMP under my own username.

    I don’t really know PHP or JS well, but looked at the plugins and this caught my eye since it loads arbitrary code from an external site, and I find it odd that the file is named sidebar.php. Is there any way the loaded sidebar.php file could be made to execute arbitrary code?

    <div id="postbox-container-1" class="postbox-container">
                <iframe frameBorder="0" height = "1000" src = "http://sudarmuthu.com/projects/wordpress/bulk-move/sidebar.php?color=<?php echo get_user_option( 'admin_color' ); ?>&version=<?php echo self::VERSION; ?>"></iframe>
            </div>

    Any comments are greatly appreciated

Viewing 3 replies - 1 through 3 (of 3 total)
  • Mark Ratledge

    (@songdogtech)

    9 years, 6 months ago

    @SnorkelZ: That plugin author, with 23 plugins, does not appear to be sketchy: https://profiles.wordpress.org/sudar/

    If you have a question about the bulk-move plugin, ask here: https://wordpress.org/support/plugin/bulk-move

    That iframe appears to be simply an ad for his plugin.

    Thread Starter SnorkleZ

    (@snorklez)

    9 years, 6 months ago

    @songdogtech: Thanks for the reply. Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone’s plugin. I should have anonymized the url. I want to be clear that I am not accusing him or anyone, just performing an evaluation. I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.

    The content loaded into that Iframe currently is just an ad. The file being loaded being named the same as a WP template file caught my eye, but I realize now that that is probably just because that file is a sidebar on his own WP site.

    I’m not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.

    I now see that it would be wise for me to run my development web server in a chroot or something similar, under a limited account even though I am behind a NAT router.

    As a learning exercise I will continue to look at the code in the plugins that were loaded at the time and see if I find anything obfuscated.

    Mark Ratledge

    (@songdogtech)

    9 years, 6 months ago

    Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone’s plugin.

    That’s a good habit; I do it myself.

    I’m not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.

    iFrames load html and javascript; neither one has access to underlying file systems and can’t execute code outside of the browser.

    I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.

    If you’re concerned with security to this degree, don’t run a CMS. There will always be security issues with a complex web app like WordPress and anything similar out there. Run a site with plain html or basic php. I’ve had clients who wanted to stick to plain html or simple php for those reasons.

    But half of your security is your knowledge to secure your own server, unrelated to any http, ftp or other services enabled.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Could this Iframe be part of a plugin trojan?’ is closed to new replies.