Avoid WP Sand Box and HQ Sand Box

It is sad that the first post for 2012 is exposing a spammer and security flaw, but it must be done. Today’s lesson in poor Internet etiquette and poor security awareness is WordPress.org user robinruet, promoter of Invenesys’ WP Sand Box plugin. Around the turn of the new year, robinruet went through the WordPress.org forums and replied to several support topics with the same post promoting the WP Sand Box plugin. These posts were all off topic, and on several occasions robinruet somehow managed to set the issue as resolved. The good news is his posts were deleted, along with his two plugins.

But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.

WP Sand Box is quite small, only 311 lines in length, and contains only 2 options. However, the plugin still has a few glaring security flaws, and fails to obey some best practices for WordPress plugin development. Let’s start with the broken best practices.

The plugin does not have a consistent function name prefix to act as a method of namespacing. There is the possibility that this plugin could conflict with other plugins should another plugin provide similarly named functions. Functions such as rrmdir and full_copy are the two with the highest probability of having a function name collision.

The plugin also deletes options on deactivation. This is really a neither here nor there thing, but the uninstall facilities should be used instead.

After a little digging, I found this plugin is sort of a fork of HQ Sand Box, with really only one change. This change is a somewhat nefarious one. Line 153, contains:
echo base64_decode("CQk8L3A+DQoJPC9mb3JtPg0KCTxmb3JtIGFjdGlvbj0iYWRtaW4ucGhwP3BhZ2U9U2FuZCBCb3giIG1ldGhvZD0icG9zdCIgPg0KCQk8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJiYWNrdXB0aGVtZSIgPg0KCQk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iQmFjayBVcCBZb3VyIExpdmUgVGhlbWUiIC8+DQoJPC9mb3JtPg0KCTwhLS1UaGVtZSBTd2l0Y2hpbmcgb3B0aW9uIGVuZCBoZXJlLS0+DQo8L2Rpdj4NCjxkaXY+DQoJDQoJPGlmcmFtZSBzcmM9Imh0dHA6Ly93d3cuaW52ZW5lc3lzLmNvbS9hZC5odG1sIiB3aWR0aD0iNDUwcHgiIGhlaWdodD0iMjUwcHgiPg0KCQkNCgkJDQoJCQ0KCQkNCgk8L2lmcmFtZT4NCgkNCjwvZGl2Pg==");


Our good old friend base64_decode, using it in this way to obfuscate code is a bannable offense (in fact the plugin was removed today). What was actually being echoed? Decoding the base64 encoded data yields:
</p>
</form>
<form action="admin.php?page=Sand Box" method="post" >
<input type="hidden" name="backuptheme" >
<input type="submit" value="Back Up Your Live Theme" />
</form>
<!--Theme Switching option end here-->
</div>
<div>
<iframe src="http://www.invenesys.com/ad.html" width="450px" height="250px">
</iframe>
</div>
Well, what do we have here? An iframe, serving up an advertisement not seen in the original HQ Sand Box plugin. This may be benign at the moment, but the author could easily change it to be something more malicious (e.g. serve up some auto installing malware on ad.html).

Now, the real reason you should not use WP Sand Box or HQ Sand Box is a security issue in it. These are lines 24 through 33 in WP Sand Box and lines 26 through 36 in HQ Sand Box.

if (isset($_POST['delete_theme'])) {
$dtheme = $_POST['delete_theme'];
$dtheme = str_replace("_", "", $dtheme);
// echo "<script type="text/javascript">// <![CDATA[
alert('" .$dtheme."')
// ]]></script>";
$rty = get_theme_root() . "/";
$dir = $rty . $dtheme;
rrmdir($dir);
// echo "<script type="text/javascript">// <![CDATA[
alert('" .$dir."')
// ]]></script>";
}

So, this code is meant to be used to delete a theme that is no longer needed as part of the plugin. However, this code is not protected in any manner. It does not check if the user is logged in, or has sufficient privileges. There really should be a nonce check here to ensure that the user actually made the request to delete the theme as well. A malicious individual could delete every theme in a WordPress install with this plugin installed and enabled. This would take down a site until the theme could be restored.

The good news is both WP Sand Box and HQ Sand Box have been removed from the WordPress.org plugins repository. However, their SVN repositories exist. If you are using either of these plugins, I would suggest disabling it, or only using it on non-publicly accessible WordPress installs (local installs or a local testbed).

-John Havlik

[end of transmission, stay tuned]