Mass Mailing SPAM From a Good File

We often find code that is developed with good intent but the security aspects of it are not always taken into consideration.

During a routine cleanup investigation we found a php script in a theme that used mail capabilities without any type of security check or direct access prevention. Because of that, attackers would be able to abuse such features and send mass SPAM.

This script is part of one premium WordPress theme and here is a snippet of it (with comments removed):

$to = htmlspecialchars( stripslashes( trim( $_POST['To'] ) ) );$name = htmlspecialchars( stripslashes( trim( $_POST['Name'] ) ) );$email = htmlspecialchars( stripslashes( trim( $_POST['Email'] ) ) );$message = htmlspecialchars( stripslashes( trim( $_POST['Message'] ) ) );$subject = htmlspecialchars( stripslashes( trim( $_POST['Subject'] ) ) );$headers = 'From: '. $name .' <'. $email .'>';//$subject .= ', from: ' .$name ;if( @mail( $to, $subject, $message, $headers ) ){    echo json_encode( array(        'status' => 'ok' ));   } else {  echo json_encode( array(        'status' => 'error'  ));   }

As you can see, it sends emails using the data provided in POST parameters. And although it is meant to work as a part of the theme, it can be easily used as a stand-alone script bypassing all security checks made in other theme files.

This theme is not the only one that has such a vulnerability. If you develop themes / plugins and they include files that shouldn’t be used outside of the original theme or plugin, consider this trick to prevent direct access to the files. The following code can be added at the top of the files after the php tags:

if ( basename($_SERVER['PHP_SELF']) == basename(FILE) ) {  die('Access Denied'); }

This post demonstrated just one of many security issues that could be caused by poor coding practices. Extension developers should alway remember that if their software becomes even moderately popular hackers immediately start looking for ways to abuse it.