So what’s new?
So what’s new?
No WordPress 3.4 updates this week, and the WordPress 3.4 beta 3 version is currently available. As per project schedule, the final two steps before WordPress 3.4 are release candidates RC1 and RC2. Target launch is May 9th.
At the time of writing, the WordPress 3.4 roadmap is at closed: 396 active: 92 total: 488 tickets, which is around 81% completed. Many XML-RPC privileges-type bugs fixed, we’ll probably be seeing more considering the terrific amount of new features in the XML-RPC server.
And now to trunk, what’s changed?
So what the heck happened there in terms of security?
WordPress 3.3.1 uses Plupload Version 126.96.36.199 (2011-09-27), with latest Plupload at Version 1.5.4 you can see that much could and must have gone wrong between these two. By checking out the changelog, we find the following entries:
Contents of changesets can be seen here. Not sure what we’re really looking for at this point; the WordPress changeset appears to rely on the Plupload update solely. Neal Poole promises some information it seems, which makes it even more intriguing, could the problem be not (only) in Plupload?
One of the core files in the changeset seems to be capabilities.php and it has not changed… then there’s handlers.js, with
up.removeFile(file); added… no other ideas, eagerly waiting for some details.
Another mystery, why are SWFUpload bugs reported to WordPress? There have been no updates to SWFUpload since September 2011 it seems. So what’s going on here? Can’t tell without decompilation of the SWF itself.
Changeset appears to be limited to encoding the MMredirect Flashvar, possibly related is a year-old Security Issue SDK-22303 revolving around XSS as well as this one. Latest version of SWFobject does not appear to have this change applied to it, last update was in June of 2009.
As the changeset shows, a non-network administrator in WordPress 3.3.1 can deactivate network-wide plugins. This is of limited use under most circumstances.
Update: OK, so I updated to 3.3.2 and I’m still getting XSS’d from inside the comments, did I miss the point of it all or hit something else? Latest trunk with Twenty Ten/Eleven also allows script injection in comments. Whaaa…? I need to get some serious sleep, been up for over 30 hours. Enough monkey business for now.
Update: The farthest I got is injecting
<a href=" www.two.com/onclick=undefined">www.five.com</a> which produces an error on the page when clicked.
So that’s pretty much why the sudden update besides the couple of fixes that made it with the release. It still doesn’t feel right…
Be on the lookout for the details behind the intriguing SWF updates. Bigups go to Neal Poole, Nathan Partlan, Szymon Gruszeck, Mauro Gentile, Adam Backstrom for the patience to disclose responsibly. Much love to the core and the security teams that make it of utmost importance to keep WordPress users safe. Thank you.
With WordPress 3.4 still on the conveyor belt, most of the week’s changes revolve around fixing the odds and ends in last weeks’ beta 2. 156 tickets currently open.
There have been a couple of changes in the 3.3 branch as well, though. The log contains all the details. WordPress 3.3.2 has been made available for download with multiple security vulnerabilities fixed. WordPress 3.4 beta 3 is also out. And now for trunk and WordPress 3.4.
Pingbacks have been part of the WordPress since the very beginning. One of my previous articles, titled WordPress Pingback Attacks explores two types of denial-of-service attacks that leverage Pingback request processing in WordPress. If you do not know how Pingbacks work, I suggest taking a quick crash-course here.
One of the attacks is a Layer 7, direct denial-of-service attack, performed by a handful of machines targeted at a single WordPress XML-RPC server with pingbacks enabled. Its purpose is to deplete the server of memory resources by forcing it to download and parse a target URL, which is specifically crafted to heighten resource usage while parsing. Up to 6:1 peak-memory-usage-to-download-size ratios have been reliably reproduced. There’s a bug that allows 5 times as much usage (i.e. 30:1 inflation ratios) when setup properly (WordPress 3.4 will suffer from it as well).
The second attack is a Layer 4 (typically bandwidth-exhaustion), reflected distributed denial-of-service attack which utilizes publicly available WordPress sites on servers of any size and is the subject of this article. Buckle up, off we go.
With most of the work concentrated on getting WordPress 3.4 out on schedule, with 172 active tickets (1 more than last week), a lot of testing and fixes, WordPress 3.4 beta 2 has been announced. Here’s an overview of the 3.4 release workflow.
This week in WordPress trunk…
If you’ve ever installed or setup WordPress you should have surely seen your wp-config.php file, which contains the necessary configuration directives in order for WordPress to work. One section of the configuration file is dedicated to authentication keys and salts and this article will show you why you should keeps these safe and unique, regenerate these once in a while.
Salt, salt, salt… care to pass me the salt? Don’t! If I know your salt there’s a good chance I’ll be inside your WordPress administration panel within a week. Why? Because WordPress depends on the safety of these salts, once they are compromised the security behind authentication is relatively weak. But how?
It’s been around 48 hours since WordPress 3.4 beta 1 was officially released, with around 20 new tickets opened, and at least as much closed since then, there are currently 171 tickets open.
Let’s see what changed this week in 3.4 and future releases of WordPress.
Produce a raw dump of some of the core parts that should help shed some light on issues regarding WordPress rewrite rules, permalinks and missing template files when a 404 is encountered. Fork, improve, comment. This is for environments with no fancy IDEs, Xdebug, debug plugins.
It is no secret that the WordPress Core interacts with remote APIs maintained by WordPress DOT org team. The most direct manifestation of these calls are plugin, theme and Core update notifications, and XML feeds in the Dashboard. Let’s take a look at all (hopefully) of the calls that WordPress is able to make, analyze the protocols and the data being exchanged.