Sign in / up

back to article Fancybox WordPress plugin reveals zero day affecting thousands

A WordPress plugin downloaded half a million times has been used in zero day attacks that served up malware. The plugin in question is called FancyBox and creates a lightbox-like interface with which to look at images. It's been used by unknown actors to deliver a malicious iframe through a persistent cross-site scripting …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    The same principle applies as to services

    To keep a WP site reasonably safe without too much hassle:

    1 - do not install plugins and themes you don't need. Like services on a server, all you do is enlarge the attack surface. Keep it simple, and as bare as possible.

    2 - do not use defaults for admin name as well as admin login path - from what I have seen so far in my logs, it's about the first thing an automated script tries (the next test is usually the admin path for a Joomla site). The simplest way to achieve this is to install one of the few plugins you ought to have, All in one WP security. It works, and it guides you through cleaning up your site. Be careful with auto-lockup of the front door, though, someone can use this for a Denial of Service on your admin ability.

    3 - install a one time password (OTP) system like Google Authenticator. A lot of WP sites don't run SSL, which means that an admin login can be captured in transit. Using an OTP means you add a second password to the logon that changes every 30 seconds. I used the WP Google Authenticator plugin by Julien Liabeuf, but there are a few out there. No worries about Google backdoors, by the way, this is an RFC standard based protocol. Search for "Gauth" if you want other instances of this (the project lives on Github). The "Google authenticator" app which you need to generate the numbers to enter is freely available for iOS and Android, possibly for other platforms too.

    4 - do your maintenance (update, review log files and make backups). As I'm loath to provide data to Google I use Counterise, which provides me with insight what sort of attempts have been made to break the site. If they frequently come from one location I blacklist it (resources for that can be found in that All in one WP Security plugin).

    Once you've done 1..3 you ought to be quite safe, especially if your site doesn't allow comments.

    5 0 Reply
    1. SolidSquid
      Reply Icon

      Re: The same principle applies as to services

      While this is generally true, a lightbox plugin is simple enough that most people would assume it was perfectly safe, plus many clients want a lightbox of some kind so something like this becomes a necessity

      0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: The same principle applies as to services

      While this is good advice, from what I have seen of WordPress sites in companies, the general life cycle is:

      1. Install it for urgent requirement X. As the requirement is urgent, typically the hosting will be done via a third-party with management systems outside of IT's control.

      2. Use it for a few months

      3. Forget about it until it is compromised. As a corporate domain name was used, site is traced back to company and someone is notified.

      4. Panic.

      5. Fix issues and discuss shutting site down or bringing in-house but don't take any further action.

      6. Got to 3.

      4 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The same principle applies as to services

        Aye, and then there's the added catch where #1 can't be fixed by adding X to existing systems because #3-5 eat all the spare time.

        Being there, doing that, boss won't let me have a "eff-off, you can't have it" t-shirt.

        0 0 Reply
    3. Cipher
      Reply Icon
      Pint

      Re: The same principle applies as to services

      Excellent advice...

      0 0 Reply
  2. Gant

    http://bazaar.launchpad.net/~vcs-imports/fancybox-wp/trunk/view/head:/fancybox.php#L344

    At least it seems to require a person logged in to WP to load the offending URI.

    0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    So um does this mean the WP Fancy Box *php* component is borked, or the Fancy Box *js* ?

    I use the plug in on a site but it ain't a WP site, no sir.

    0 0 Reply
  4. Hans 1

    I appreciate the instructions for users of WP - great job ... one thing I do not understand is the relationship between RFC's and backdoors ... there is none.

    RFC's usually define a standard or protocol etc; it is when you implement the feature described in the RFC that you can add your backdoors. So RFC means nothing ... an FTP server, for example, could log usernames/passwords in plain text and send them to the vendor's servers. The FTP server can still implement all features in RFC 959.

    2 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      @ Hans 1

      I appreciate the instructions for users of WP - great job ... one thing I do not understand is the relationship between RFC's and backdoors ... there is none.

      Where did RFCs come into the discussion?

      0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      There seems to be a general concern with the data slurping ways of Google that makes anything they bring out "for free" a target for suspicion. In this case, an established RFC defines how the thing ought to work, meaning that people with competence can go over the code and spot if weird stuff is happening. As we know from some recent nasties in Open Source, that doesn't always happen but at least the potential is there.

      Having said that, it would not really matter unless Google also managed to acquire the actual static site password, which you need in addition to the OTP. The only way that could be grabbed would be through interfering with the admin resources to capture it in cleartext when a new one is entered - the database only stores the hash value so that would be of no use (you'll discover that if you ever have to reset the site admin password with phpAdmin). However, the plugins on the server end are not by Google (and, as far as I can tell, don't reach that deep), so you can put paranoia to rest for a bit..

      In general, I rather like OTP. It's stupidly simple to implement (in Joomla it appears to be even part of the main code), it's very easy to use and it just works. Given that it costs nothing it seems a good thing to implement - I wished that wordpress.com added it as well (maybe it actually has, haven't been there for a while).

      0 0 Reply
  5. Seanie Ryan

    i wonder

    "It's been used by unknown actors to deliver a malicious iframe"

    i bet its Bruce Willis.... ;-) Happy Friday

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like