• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Mass Mailing SPAM From a Good File

August 15, 2016Rodrigo Escobar

0
SHARES
FacebookTwitterSubscribe

We often find code that is developed with good intent but the security aspects of it are not always taken into consideration.

During a routine cleanup investigation we found a php script in a theme that used mail capabilities without any type of security check or direct access prevention. Because of that, attackers would be able to abuse such features and send mass SPAM.

This script is part of one premium WordPress theme and here is a snippet of it (with comments removed):

$to = htmlspecialchars( stripslashes( trim( $_POST['To'] ) ) );$name = htmlspecialchars( stripslashes( trim( $_POST['Name'] ) ) );$email = htmlspecialchars( stripslashes( trim( $_POST['Email'] ) ) );$message = htmlspecialchars( stripslashes( trim( $_POST['Message'] ) ) );$subject = htmlspecialchars( stripslashes( trim( $_POST['Subject'] ) ) );$headers = 'From: '. $name .' <'. $email .'>';//$subject .= ', from: ' .$name ;if( @mail( $to, $subject, $message, $headers ) ){    echo json_encode( array(        'status' => 'ok' ));   } else {  echo json_encode( array(        'status' => 'error'  ));   }

As you can see, it sends emails using the data provided in POST parameters. And although it is meant to work as a part of the theme, it can be easily used as a stand-alone script bypassing all security checks made in other theme files.

This theme is not the only one that has such a vulnerability. If you develop themes / plugins and they include files that shouldn’t be used outside of the original theme or plugin, consider this trick to prevent direct access to the files. The following code can be added at the top of the files after the php tags:

if ( basename($_SERVER['PHP_SELF']) == basename(FILE) ) {  die('Access Denied'); }

This post demonstrated just one of many security issues that could be caused by poor coding practices. Extension developers should alway remember that if their software becomes even moderately popular hackers immediately start looking for ways to abuse it.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri LabsTags: Labs Note

About Rodrigo Escobar

Rodrigo Escobar is Sucuri's Sr. Malware Research Manager who joined the company in 2012. Rodrigo's main responsibilities include the coordination of malware analysts and research groups, and deployment of effective remediation solutions. His professional experience covers more than eight years in website remediation and malware analysis. When Rodrigo isn't investigating cyber threats and looking for solutions to prevent them, you might find him at the computer, reading assembly and learning new skills. Connect with him on LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.