On monday 7th a friend of me gave me a link to htmltowordpress.io just to test the conversion tool.
htmltowordpress.io is a service that can easily convert a full HTML website into a WordPress theme, in 1 step!
So i gave a look and instantly wondered how the parsing could have been done correctly to avoid flaws.
Try again.
My firsts tests were to simply display alert boxes using JavaScript, but it can’t count as a flaw since when htmltowordpress.io shows you the result, this is a full fresh and new install of the last version of WordPress with the user “friend” as admin.
This installation as the minimum required security that disallow anyone from adding a theme or plugin, even updating or editing a plugin and theme. Neat.
Then i tried to add PHP code in my HTML code using <?php
or <?/**/php
or <?<script>php
you know, maybe a bad replace treatment is present …
You win
And there was one. ONE and only bad pattern that could lead to PHP execution using a HTML file, i found it :
<script><?= ABSPATH; ?></script>
The PHP short tags were allowed but ONLY in a script tag. Here come a video to show you in live:
This will only display the ABSPATH
constant from WordPress, but you can use what you want and this can be very dangerous. Of course, writing PHP code in a website IS dangerous.
Game Over
So in the next hour of my discover and tests i contacted the htmltowordpress.io team and they fixed the flaws in the next hours.
Now htmltowordpress.io is more secure than yesterday! Let’s try this service now, go to htmltowordpress.io!