Author: Rodrigo Escobar

A few weeks ago, we posted a lab notes describing a good theme file being exploited by attackers to send mass-mailing SPAM (https://labs.sucuri.net/?note=2016/08/15 0:00). Upon further investigation, we identified that attackers have been exploiting this issue for quite awhile and apparently under the radar.

The lack of security checks in that particular file allows the attackers to send as many emails as they would like to, depending on server’s configurations/limitations. To make matters worse, the code had been implemented throughout different themes developed by the same company.

The issue is located within the file ‘functions/theme-mail.php’ and can be found in older versions of the following premium themes:

bretheon, doover, fingerprints, kora, lawcenter_two,mfl, pindol, tisson, almet, caffeine, nollie, limuso

The consequences of using those old versions vary - from having your website suspended by the hosting company, or getting the mail server blacklisted.

We didn’t have access to all versions of those themes to determine when a patch had been applied, but if you identify the same snippet as we have in the labs sucuri notes, we highly recommend adding the following code after your opening php tags to prevent direct access to the file and further exploitation:

if ( basename($_SERVER['PHP_SELF']) == basename(__FILE__) ){die('Access Denied');}

If you’re a customer on the Sucuri Firewall you are already patched via our virtual patching engine.

We often find code that is developed with good intent but the security aspects of it are not always taken into consideration.

During a routine cleanup investigation we found a php script in a theme that used mail capabilities without any type of security check or direct access prevention. Because of that, attackers would be able to abuse such features and send mass SPAM.

This script is part of one premium WordPress theme and here is a snippet of it (with comments removed):

$to = htmlspecialchars( stripslashes( trim( $_POST['To'] ) ) );$name = htmlspecialchars( stripslashes( trim( $_POST['Name'] ) ) );$email = htmlspecialchars( stripslashes( trim( $_POST['Email'] ) ) );$message = htmlspecialchars( stripslashes( trim( $_POST['Message'] ) ) );$subject = htmlspecialchars( stripslashes( trim( $_POST['Subject'] ) ) );$headers = 'From: '. $name .' <'. $email .'>';//$subject .= ', from: ' .$name ;if( @mail( $to, $subject, $message, $headers ) ){    echo json_encode( array(        'status' => 'ok' ));   } else {  echo json_encode( array(        'status' => 'error'  ));   }

As you can see, it sends emails using the data provided in POST parameters. And although it is meant to work as a part of the theme, it can be easily used as a stand-alone script bypassing all security checks made in other theme files.

This theme is not the only one that has such a vulnerability. If you develop themes / plugins and they include files that shouldn’t be used outside of the original theme or plugin, consider this trick to prevent direct access to the files. The following code can be added at the top of the files after the php tags:

if ( basename($_SERVER['PHP_SELF']) == basename(FILE) ) {  die('Access Denied'); }

This post demonstrated just one of many security issues that could be caused by poor coding practices. Extension developers should alway remember that if their software becomes even moderately popular hackers immediately start looking for ways to abuse it.

Early this morning we got complaints from our clients mentioning that Norton was flagging Helpscout, a Help Desk System.

Some of the pages were triggering this warning

Upon a quick check at Norton Safe Web, we can clearly see that a few files (4) were flagged by them

We tried accessing those to see if there was indeed any malicious content in it but all of them led to a 404 - Not Found page. With that being said, all we can do at the moment is wait for Helpscout to ask Norton to review the Blacklisting status.