One of the first steps of any web application security audit is to determine what software is installed, which allows you to search for known vulnerabilities at websites like Bugtraq.

The Weblog Tools Collection blog recently had a post asking readers to guess how many WordPress plugins they had installed, with the prize being a pro account on Flickr.

I’m not a big fan of guessing games, so I thought I would write a simple VuGen script to find the answer.

Using the list of plugins taken from my post on content scraping, I got a list of all the WordPress plugin directories and then wrote code to try all of these under http://weblogtoolscollection.com/wp-content/plugins/.

// Determine which plugins are installed for the WordPress blog at weblogtoolscollection.com
Action()
{
	int http_response_code;
	char* file = "C:\TEMP\output.txt";

	web_custom_request("CheckForPlugin", 
		"URL=http://weblogtoolscollection.com/wp-content/plugins/{PluginDirectory}/", 
		"Method=HEAD", 
		"Resource=1", 
		"RecContentType=text/css", 
		"Referer=http://weblogtoolscollection.com", 
		"Snapshot=t1.inf", 
		LAST);

	// Request will either return a 404 (not found) or a 403 (forbidden)
	http_response_code = web_get_int_property(HTTP_INFO_RETURN_CODE);
	if (http_response_code == 404) {
		// do nothing
	} else if (http_response_code == 403) {
		jds_append_to_file(file, lr_eval_string("Plugin found: {PluginDirectory}n"));
	} else {
		lr_error_message("Unexpected response code %d for %s", http_response_code, lr_eval_string("{PluginDirectory}"));
		jds_append_to_file(file, lr_eval_string("Unexpected response: {PluginDirectory}n"));
	}

	return 0;
}

For the curious, the plugins found were:

  • Akismet (akismet) – Not visible to end-users. Probably enabled, even though WP-SpamFree is also installed. Akismet is awesome.
  • All in One SEO Pack (all-in-one-seo-pack) – Defnitely active, and running version 1.4.91. The name of this plugin is great, but what it actually delivers is definitely underwhelming
  • Bird Feeder (bird-feeder) – Definitely active. This plugin tweets published posts, and the website owner’s twitter feed contains Bird Feeder tweets.
  • Delink Comment Author (delink-comment-author) – Probably inactive. I can’t believe that anyone would run such a useless plugin.
  • FeedStats (feedstats-de) – Not visible to end-users. Probably enabled.
  • Google XML Sitemaps (google-sitemap-generator) – Definitely enabled. This is an excellent plugin.
  • Highlight Author Comments (highlight-author-comments) – Definitely enabled. This can be seen in other posts
  • HTML Purified (html-purified) – This plugin is a comments filter. I could test for this, but can’t be bothered. Probably enabled.
  • Moderation Notify Author (moderation-notify-author) – Not visible to end-users. Probably enabled, as this is a multi-editor/contributor blog.
  • MoFuse WordPress Plugin (mofuse) – This plugin creates a mobile version of your blog. I could test for this, but can’t be bothered. Probably enabled.
  • Ozh’ Who Sees Ads (ozh-who-sees-ads) – probably enabled.
  • RSS Footer (rss-footer) – I think this is disabled as I can’t see anything that has obviously been added to the start/end of each post in the RSS feed.
  • ShareThis (share-this) – Definitely active. I really like this plugin
  • Simple Tags (simple-tags) – Probably active.
  • WordPress.com Stats (stats) – I don’t think this is active, as I can’t see the JavaScript in the HTML page.
  • Subscribe to Comments (subscribe-to-comments) – Definitely active. This is shown in the comment form.
  • Tweetbacks (tweetbacks) – Definitely active. This is shown at the bottom of every post.
  • What Would Seth Godin Do (what-would-seth-godin-do) – I think that this is inactive.
  • WordPress Thread Comment (wordpress-thread-comment) – I’m sure that WordPress does threaded comments by default now. Probably disabled.
  • WP Ajax Edit Comments (wp-ajax-edit-comments) – I think that this is disabled.
  • WPBook (wpbook) – Ebmeds your blog in your Facebook page. Can’t be bothered checking. Probably enabled.
  • WP-Cache (wp-cache) – Probably enabled.
  • WP-DB-Backup (wp-db-backup) – Probably active, and probably allows anyone to guess the filename of the backup and download a copy of the site’s database.
  • WP-PostRatings (wp-postratings) – Definitely active, and running version 1.40.
  • WP-SpamFree Anti-Spam (wp-spamfree) – This plugin tries to let only user-agents that can execute JavaScript submit comment. It appears to be disabled.
  • WP Tuner (wptuner) – Might be enabled.
  • Yet Another Related Posts Plugin (yet-another-related-posts-plugin) – Active. Post pages have related posts displayed.
  • Hello Dolly (hello.php) – Not visible to end-users. Probably disabled. I don’t know why WordPress still ships with this.

Total plugins: 28
Active plugins: 20
Deactivated plugins: 8

I haven’t bothered to check if any of these plugins have known security vulnerabilities.

 

Published On: May 16, 2009Tags: ,

3 Comments

  1. GP June 1, 2009 at 6:31 am - Reply

    Of course, this depends on the assumption that they are only using plugins that are listed at wordpress.org. On my site I use a bunch of custom plugins that wouldn’t show up with this technique.

  2. Sachin November 24, 2011 at 4:04 pm - Reply

    Good read. I hope you keep it updating.

  3. Shaheen August 10, 2012 at 8:33 pm - Reply

    I found this technique useful, but this means that I should have access to the concerned website so that I can upload the script and find out which plugins a website uses. Isn’t there anyway I can find the plugins used by a website so that I don’t have to look through the source code?

Leave A Comment