WordPress Blogs using Vistered Little are being targeted by hackers

Over the last two days the number of 404s on my site increased significantly. Further investigation revealed that attempts were being made to access unusual URLs to gain access to files they wouldn’t normally have access to.

It appears the skins/common.css.php is vulnerable.

This file existing in that location in 1.6a and within the theme’s root directory in 1.7.0 through to 1.7.2. This file does not exist in the current version 1.7.3.

It is strongly recommended that anyone using Vistered Little 1.6a through to 1.7.2, upgrade to 1.7.3 ASAP

Update: 2007.05.30

Apparently this exploit was discovered two days ago:

Update: 2007.05.31

Now that we’ve done our best to let everyone who is vulnerable know about the problem, it’s time to site down and examine the exploit. Let’s have a look at the offending file:

The problem is (apparently), that bit at the end

@readfile( $skin . '.css' );

$skin is set from a request parameter, so by changing the request parameter you can access any file ending with ‘.css’. Now what this exploit tries to do is set $skin to the file they are trying to access and adding a null character at the end, so readfile ignores the ‘.css’. The following code is a simplifed (no request parameters) example of what they are trying to do

@readfile( "path/somefile" . pack( "@" ) . '.css'; );

pack( "@" ) returns a null character.
If you put this code in a php file, you’ll find that it outputs the contents of “path/somefile”, not “path/somefile.css”.
When common.css.php is being exploited, they are trying to set $skin to "path/somefile" . pack( "@" ).
Apparently the pack( "@" ) part can be achieved by adding “%00” after “path/somefile”. Sure enough the output from

urlencode( "path/somefile" . pack( "@" ) )

is “path/somefile%00”, however when I tried this with

common.css.php?skin=path/somefile%00

$skin get’s set to path/somefile\0. I could not find anyway to correctly embed the null in the query string after the filename. Perhaps the L33T HaX0R Mahmood_aliwhy the email link? someone’s got to feed the email harvesting bots, who is credited with finding this exploit can let us know.