Tag Archives: security

phdays12

I haven’t been at an IT conference (or out of the house for that matter) in a while. With summer approaching quickly I decided to visit Positive Hack Days in Moscow’s Gorky Park. The conference had quite a bit of social media coverage and hype. I reached out to my friends over at xakep (an IT security magazine that I used to read back in the early 00s, which went digital a handful of years ago) and got me an entry ticket, booked the flight and hotel and got ready to relax and chill for a weekend. Boy, was I wrong…

Continue reading



Upcoming Stream: Creating WordPress Malware

…for fun and fun only!

This week Konstantin Kovshenin created a minimalist WordPress caching plugin in 6 hours. Let’s up the ante!

This weekend I’ll attempt to create the cheekiest and most evasive WordPress malware yet. Leveraging some recent plugin zero-day, I’ll infect several dummy WordPress installs with it, and put a handful of freelance security experts and WordPress malware cleanup services to the test. Think CTF. Who will defeat our evil creation?

WordPress Malware

A huge legal and ethical gray area, bound to be a fun an educational dive into the world of advanced WordPress security concepts as part of the koddr.io experience. Let’s be the baddies for a bit.

When? 7th August, 7a UTC.
Where? On Twitch, YouTube and other streaming platforms.

Add to Calendar, and meet me there. And don’t tell anyone else πŸ˜‰



WooCommerce Can’t Count Either

In continuation of yesterday’s post about bbPress, I decided to look for a more impactful race condition vulnerability. What’s more impactful on an online business than ecommerce?

WooCommerce is up for the thread-safety test in this post and probably a couple of other to follow.

WooCommerce Can't Count Either

Continue reading



bbPress Can’t Count

In a highly-concurrent high-load environment bbPress will not count the topics and replies correctly. This happens due to several race conditions in the code. While not a critical vulnerability, it’s annoying. I wonder how the dotorg forums keep the numbers accurate? Maybe they don’t and nobody cares πŸ™‚ but it’s something I’ve been very passionate about – data accuracy and race conditions.

bbPress Can't Count

Continue reading



Testing Race Conditions in WordPress

WordPress is not thread-safe.

I’ve spoken about this, and even started work on a plugin called WP_Lock that will aim to introduce some thread-safety into core to address the occasional TOCTOU bug under high load (and concurrency). For example ticket #44568 is an easy-to-reproduce complaint about concurrent REST API access πŸ˜‰

Testing Concurrency Issues in WordPress with PHPUnit

If you thought writing thread-safe code in WordPress plugins is hard, unit testing the code for concurrency issues is even harder. One of the ways I found works best is by utilizing the PCNTL module in PHP to fork and test critical sections.

Continue reading



Part 3: Safety nets vs. bad code

If you haven’t looked at part 1 and 2 here, I suggest you do before reading on. This is a direct continuation of part 1.

So the original $wpdb->prepare vulnerability, which, I remind you is based on a potential typo in third-party code, is followed up with a new potential vulnerability based on double preparing a query. So again, bad third-party code.

So here’s one for you. If a developer does $wpdb->prepare( "SELECT * FROM wp_users where ID = %d OR %d". $_GET['param1'], $_GET['param2'] ); (note the . instead of the ,) do I also get a $500 bounty? How far will this go? Will the method be removed completely because #security? To what extent should WordPress and PHP be blamed for potential developer mistakes?

Shouldn’t these be addressed in the actual third-party code and not in core? I’m at a complete and utter loss now. What’s next?

Shout outs to Slavco for bringing all these issues up both with the codebase and the community, and how things are or should be handled.



On WordPress Security and Contributing

…and how neither really worked today.

A sad story in two parts, where I’m rash, harsh and untactful. An explanation, a rant, a call for support, a call for action. You do not have to agree with me, I may be just an asshole and haven’t realized it yet πŸ˜‰

Continue reading



12 WordPress Plugin Vulnerabilities in 12 Months

I’m challenging myself to find 12 plugin vulnerabilities in the next 12 months, right in time for WordCamp Moscow 2018, where I’ll present peculiar vulnerable code and talk about practical security mistakes that don’t get caught by the official plugin repository review process.



Javo Themes Spot LFI Vulnerability

Whew, it’s been a while…

I’ve had the misfortune to work with yet another theme from ThemeForest. A $60 premium theme and nothing less! Meet Javo Spot by Javo Themes…

Javo Theme Vulnerability

Within half an hour of fiddling with it, trying to filter the output of their Listings Directory (which ended up being a 5-hour pain-in-the-butt task, which is a story for another day), I came across a glaring unauthenticated Local File Inclusion vulnerability (an LFI for short).

Continue reading



WordPress Nonces Vulnerabilities

Quick Page/Post Redirect Plugin: A Case Study

Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.

Quick Page/Post Redirect WordPress Plugin Vulnerability

And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t

Continue reading