What is a Website Backdoor?

What is a Backdoor?

A backdoor provides a shortcut for authorized or unauthorized users to gain access to an unauthorized location of a website, software, or system. There are many different ways to categorize backdoors, but they are usually not in plain sight and are intentionally difficult to detect.

Legitimate vs. Illegitimate Backdoors
Developer’s backdoor

Sometimes called a Maintenance Hook, Administrative Backdoor, or a Proprietary Backdoor, these are backdoors created on purpose by developers during the development process of the software or hardware.

Continue reading What is a Website Backdoor? at Sucuri Blog.

WooCommerce Extension – Reflected XSS Vulnerability

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On November 1, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.

We sent the full disclosure details on November 4, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 8, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Preview E-Mails for WooCommerce”, which is version 2.0.1 at the time of this publication.

Description: Reflected Cross-Site Scripting
Affected Plugin: Preview E-mails for WooCommerce
Plugin Slug: woo-preview-emails
Affected Versions: <= 1.6.8
CVE ID: CVE-2021-42363
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.0.0

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

As part of the plugin’s functionality, there is a feature to search orders and to generate an email preview based upon a specific order, so that an administrator or shop manager can see exactly what a specific user sees for the emails that get sent out. Unfortunately, the search_orders parameter, used to conduct the search, was reflected to the page and had no input sanitization or escaping upon output which made it possible for users to supply arbitrary scripts that would execute in the browser when the page was accessed with the payload set in the search_orders parameter.

                 <select name="search_order" id="woo_preview_search_orders" class="woo_preview_search_orders" class="regular-text" style="width: 35%;">
					<?php
					if ( ! empty( $_POST['search_order'] ) ) {
						?>
                        <option value="<?php echo $_POST['search_order']; ?>" selected="selected">#order : <?php echo $_POST['search_order']; ?></option>
						<?php
					}
					?>

This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site.

Timeline

November 1, 2021 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the Preview E-mails for WooCommerce plugin. We validate that the Wordfence Firewall provides complete protection. We initiate contact with the developer.
November 3, 2021 – The developer confirms the inbox for handling the discussion.
November 4, 2021 – We send over the full disclosure details.
November 8, 2021 – A fully patched version of the plugin is released as version 2.0.0.

Conclusion

In today’s post, we detailed a flaw in the Preview E-mails for WooCommerce plugin that made it possible for attackers to inject malicious web scripts into a page that would execute if an attacker successfully tricked a site administrator into performing an action. This flaw has been fully patched in version 2.0.0.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.0.1 at the time of this publication.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected by the Wordfence firewall’s built-in XSS protection.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post WooCommerce Extension – Reflected XSS Vulnerability appeared first on Wordfence.

Fake Ransomware Infection Spooks Website Owners

Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “FOR RESTORE SEND 0.1 BITCOIN” were sitting at 6 last week and increased to 291 at the time of writing this. Upon visiting their website webmasters have been met with an alarming message:

SITE ENCRYPTED

FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

(create file on site /unlock.txt with transaction key inside)

The warning indicated that the website was hit with a ransomware attack.

Continue reading Fake Ransomware Infection Spooks Website Owners at Sucuri Blog.

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”, but we are referring to it in this post as the “Starter Templates Plugin” to avoid confusion.

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

The plugin’s developer responded to us, and we provided full disclosure of the vulnerability details the next day, on October 5, 2021. A patched version of the Starter Templates plugin, version 2.7.1, was released on October 7, 2021.

We released a firewall rule to protect Wordfence Premium customers on October 4, 2021. Sites running the free version of Wordfence received the same protection 30 days later, on November 3, 2021.


Description: Authenticated Block Import to Stored XSS
Affected Plugin: Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
Plugin Slug: astra-sites
Affected Versions: <= 2.7.0
CVE ID: CVE-2021-42360
CVSS Score: 7.6(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.7.1

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

On sites that also had Elementor installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action.

While the elementor_batch_process function associated with this action did perform a nonce check, the required _ajax_nonce was also available to Contributor-level users in the page source of the WordPress dashboard.

		public function elementor_batch_process() {

			// Verify Nonce.
			check_ajax_referer( 'astra-sites', '_ajax_nonce' );

			if ( ! current_user_can( 'edit_posts' ) ) {
				wp_send_json_error( __( 'You are not allowed to perform this action', 'astra-sites' ) );
			}

			if ( ! isset( $_POST['url'] ) ) {
				wp_send_json_error( __( 'Invalid API URL', 'astra-sites' ) );
			}

			$response = wp_remote_get( $_POST['url'] );

			if ( is_wp_error( $response ) ) {
				wp_send_json_error( wp_remote_retrieve_body( $response ) );
			}

			$body = wp_remote_retrieve_body( $response );
			$data = json_decode( $body, true );
			if ( ! isset( $data['post-meta']['_elementor_data'] ) ) {
				wp_send_json_error( __( 'Invalid Post Meta', 'astra-sites' ) );
			}

			$meta    = json_decode( $data['post-meta']['_elementor_data'], true );
			$post_id = $_POST['id'];

			if ( empty( $post_id ) || empty( $meta ) ) {
				wp_send_json_error( __( 'Invalid Post ID or Elementor Meta', 'astra-sites' ) );
			}

			if ( isset( $data['astra-page-options-data'] ) && isset( $data['astra-page-options-data']['elementor_load_fa4_shim'] ) ) {
				update_option( 'elementor_load_fa4_shim', $data['astra-page-options-data']['elementor_load_fa4_shim'] );
			}

			$import      = new ElementorTemplateLibraryAstra_Sites_Elementor_Pages();
			$import_data = $import->import( $post_id, $meta );

			wp_send_json_success( $import_data );
		}

An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite.

Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to site takeover.

Timeline

October 4, 2021 – Wordfence Threat Intelligence finishes our investigation and releases a firewall rule to protect Wordfence Premium customers. We initiate the disclosure process.
October 5, 2021 – The plugin developer responds and we send over full disclosure.
October 7, 2021 – A patched version, 2.7.1, is released.
November 3, 2021 – The firewall rule becomes available to Wordfence free users

Conclusion

In today’s post we covered a vulnerability in the “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” plugin that allows lower-privileged users, such as Contributors, to overwrite existing posts and pages with arbitrary blocks containing malicious JavaScript.

Wordfence Premium users have been protected against this vulnerability since October 4, 2021, while sites still running the free version of Wordfence received the same protection 30 days later, on November 3, 2021.

We strongly recommend updating to the latest version of the plugin available immediately, which is 2.7.5 as of this writing, since it contains additional bug fixes.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin appeared first on Wordfence.

Understanding .htaccess Malware

The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless.

Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server since it allows you to make multiple changes to the web server and its behavior.

Continue reading Understanding .htaccess Malware at Sucuri Blog.

WooCommerce Skimmer Spoofs Checkout Page

Recently a client of ours was reporting a bogus checkout page appearing on their website. When trying to access their “my-account” page an unfamiliar prompt appeared in their browser soliciting credit card billing information:

This form was foreign to our client and was clearly placed during a website compromise. Interestingly, the website itself doesn’t even accept payments at all. If this was an attempt at a targeted credit card theft infection (as quite a few of them are) then the attackers best choose more carefully next time!

Continue reading WooCommerce Skimmer Spoofs Checkout Page at Sucuri Blog.

Pin It on Pinterest