WordFence recently revealed a vulnerability affecting four hosting companies. Although the issue has been patched, WordFence cautions that some sites might have been compromised before the fix was implemented.
The server settings permitted hackers to create WordPress administrator accounts, allowing them to exploit sites with malicious code inserted into the WordPress theme.
WordFence advised site administrators to inspect their sites for unauthorized administrator accounts if their sites are hosted on iPage, FatCow, PowWeb, or NetFirm. These four companies are owned by Endurance International Group.
Details of the Server Vulnerability
The servers in question had permission and file settings that enabled attackers to view sensitive files. Other vulnerabilities allowed the attackers to access the database, grant themselves administrator privileges, and consequently, take control of the site.
WordFence detailed the vulnerability as follows:
"Four conditions existed that contributed to this vulnerability:
- Customer files are all stored on a shared file system.
- The full path to a user’s web root directory was public or could be guessed.
- All directories in the path to a customer’s site root directory were either world-traversable or group-traversable, and the sensitive files were world-readable or group-readable.
- An attacker could cause a program running in the group www to read files in arbitrary locations."
Potential for Site Exploitation
WordFence warned that during the period before the vulnerability was resolved, sites hosted on these providers could have been compromised.
Site owners are advised to review their user lists for unauthorized administrators. If affected, rogue code might have been added to the theme.
WordFence described the rogue code as follows:
"If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:"
Resolution of the Vulnerability
WordFence reported the vulnerability to the hosting companies before making the details public. The hosting companies acted swiftly to address and rectify the vulnerabilities.
Despite the fix, WordFence suggests checking for unauthorized admin-level accounts and inspecting the header.php file for any rogue code.
The entire announcement is available on the WordFence blog.
Images by Shutterstock, Modified by Author
