On monday 7th a friend of me gave me a link to htmltowordpress.io just to test the conversion tool.
htmltowordpress.io is a service that can easily convert a full HTML website into a WordPress theme, in 1 step!
So i gave a look and instantly wondered how the parsing could have been done correctly to avoid flaws.
This installation as the minimum required security that disallow anyone from adding a theme or plugin, even updating or editing a plugin and theme. Neat.
Then i tried to add PHP code in my HTML code using
<?<script>php you know, maybe a bad replace treatment is present …
And there was one. ONE and only bad pattern that could lead to PHP execution using a HTML file, i found it :
<script><?= ABSPATH; ?></script>
The PHP short tags were allowed but ONLY in a script tag. Here come a video to show you in live:
This will only display the
ABSPATH constant from WordPress, but you can use what you want and this can be very dangerous. Of course, writing PHP code in a website IS dangerous.
So in the next hour of my discover and tests i contacted the htmltowordpress.io team and they fixed the flaws in the next hours.
Now htmltowordpress.io is more secure than yesterday! Let’s try this service now, go to htmltowordpress.io!