Hackers trying to execute s2Members-o-.php

I noticed since few days some hacker from Thailand had been trying to execute s2members-o.php and s2members css remotely. ZB Block from spambotsecurity.com had blocked the attempts. I thought to post a note on this forum to investigate possible vulnerabilities?
Below is a snip from ZBBlock log file.

#: 234 @: Fri, 05 Oct 2012 02:22:00 -0500 Running: 0.4.10a1

Host: ppp-110-168-252-42.revip5.asianet.co.th

IP: 110.168.252.42

Score: 1

Violation count: 2 

Why blocked: Bothost / Fake ISP (HN-040). 

Query: ws_plugin__s2member_css=1&qcABC=1&ver=120703-120703-1629152630

Referer: http://www.shaadiconnections.com/

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.3)

Reconstructed URL: http:// www.shaadiconnections.com /wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_css=1&qcABC=1&ver=120703-120703-1629152630

Thanks Suhaib!

Jason took care not to leave vulnerabilities in the script, but I’ll report this to him so he can review it once more if needed. :)

Thanks Cristian,

I noticed in log file, a couple Russian hackers also tried same query remotely. Looks like some hackers know someting about it? Anyway, I feel safe, because ZBBlocck instantly ban anyone who try to execute queries remotely.

I did a little search on this issue. This issue was discussed on your free plugin public forum in 2011 Q1. Anyone can execute http://www.example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=120703-120703-1784216801
It shows data in the browser, even though not sensitive, but public, and logout users should not be able to see it in browser by executing remote query. It gives hackers an option to look for exploitable look holes, and it also displays the email address, which spammers collect to spam. This should be fixed.

Thanks for the heads up on this thread.

Regarding s2member-o.php. This file has one job, and that is to load the WordPress framework with ONLY the s2Member plugin, and not with any other plugins running. This allows s2Member to load it’s dynamic JavaScript/CSS files through WordPress, but without the lag associated with other plugins/themes running on a site. This is an important feature to keep your site efficient in modern browsers.

As for security issues. There are no security issues that I’m aware of. In practice, loading s2member-o.php, is very much the same as loading the index.php file that ships with WordPress. It has the ability to load WordPress for logged-in users, and also for the public; this is by design.

If you have found a security issue with s2member-o.php, please report the specifics of that issue, indicating the way in which your site was hacked, and what data was compromised, and how.

Jason,

I am not aware of specific security issues. However, I do see hacking attempts on daily basis from China, India, Russia and Ukraine. All of those hackers try the string http://www.example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=120703-120703-1784216801. Therefore, I assume that there is something known to hackers about it. I have ZBBlock from spambotsecurity.com installed, which blocks these kind of remote queries. My ZBBlock log files have over 100 these querries from various hackers.

• This reply was modified 4 years, 2 months ago by  Suhaib Siddiqi.