Tag Archives: security

Why the update, WordPress 3.3.2?

WordPress 3.3.2 maintenance release was announced yesterday. The changelog for WordPress 3.3.2 explains some of the changes and the changesets log pretty much displays all the changes done in 3.3.2.

WordPress 3.3.2

So what the heck happened there in terms of security?

Plupload

WordPress 3.3.1 uses Plupload Version 1.5.1.1 (2011-09-27), with latest Plupload at Version 1.5.4 you can see that much could and must have gone wrong between these two. By checking out the changelog, we find the following entries:

  • Fix potential vulnerability in dump.php and upload.php (too old)
  • Flash: Restrict scripting ability to swf’s own domain only
  • Revive temporary file removal logic in upload.php
  • and possibly some others

Contents of changesets can be seen here. Not sure what we’re really looking for at this point; the WordPress changeset appears to rely on the Plupload update solely. Neal Poole promises some information it seems, which makes it even more intriguing, could the problem be not (only) in Plupload?

One of the core files in the changeset seems to be capabilities.php and it has not changed… then there’s handlers.js, with up.removeFile(file); added… no other ideas, eagerly waiting for some details.

SWFUpload

Another mystery, why are SWFUpload bugs reported to WordPress? There have been no updates to SWFUpload since September 2011 it seems. So what’s going on here? Can’t tell without decompilation of the SWF itself.

SWFobject

Changeset appears to be limited to encoding the MMredirect Flashvar, possibly related is a year-old Security Issue SDK-22303 revolving around XSS as well as this one. Latest version of SWFobject does not appear to have this change applied to it, last update was in June of 2009.

Limited privilege escalation

As the changeset shows, a non-network administrator in WordPress 3.3.1 can deactivate network-wide plugins. This is of limited use under most circumstances.

make_clickable

The make_clickable function grew in size to account for some edge case where XSS is possible in comment text.

Update: OK, so I updated to 3.3.2 and I’m still getting XSS’d from inside the comments, did I miss the point of it all or hit something else? Latest trunk with Twenty Ten/Eleven also allows script injection in comments. Whaaa…? I need to get some serious sleep, been up for over 30 hours. Enough monkey business for now.

Update: The farthest I got is injecting <a href=" www.two.com/onclick=undefined">www.five.com</a> which produces an error on the page when clicked.

Update 2: A few hours of sleep works like magic. Turns out I was logged in as administrator. That’s how I got to inject JavaScript into comments.


So that’s pretty much why the sudden update besides the couple of fixes that made it with the release. It still doesn’t feel right…

Be on the lookout for the details behind the intriguing SWF updates. Bigups go to Neal Poole, Nathan Partlan, Szymon Gruszeck, Mauro Gentile, Adam Backstrom for the patience to disclose responsibly. Much love to the core and the security teams that make it of utmost importance to keep WordPress users safe. Thank you.



WordPress DoSnet

…or how to build your own WordPress-powered denial-of-service network

Pingbacks have been part of the WordPress since the very beginning. One of my previous articles, titled WordPress Pingback Attacks explores two types of denial-of-service attacks that leverage Pingback request processing in WordPress. If you do not know how Pingbacks work, I suggest taking a quick crash-course here.

WordPress Denial of Service DoSNet

One of the attacks is a Layer 7, direct denial-of-service attack, performed by a handful of machines targeted at a single WordPress XML-RPC server with pingbacks enabled. Its purpose is to deplete the server of memory resources by forcing it to download and parse a target URL, which is specifically crafted to heighten resource usage while parsing. Up to 6:1 peak-memory-usage-to-download-size ratios have been reliably reproduced. There’s a bug that allows 5 times as much usage (i.e. 30:1 inflation ratios) when setup properly (WordPress 3.4 will suffer from it as well).

The second attack is a Layer 4 (typically bandwidth-exhaustion), reflected distributed denial-of-service attack which utilizes publicly available WordPress sites on servers of any size and is the subject of this article. Buckle up, off we go.

Continue reading



Why WordPress Authentication Unique Keys and Salts Are Important

…or how to forge authentication cookies in WordPress

If you’ve ever installed or setup WordPress you should have surely seen your wp-config.php file, which contains the necessary configuration directives in order for WordPress to work. One section of the configuration file is dedicated to authentication keys and salts and this article will show you why you should keeps these safe and unique, regenerate these once in a while.

WordPress Authentication Keys and Salts

Salt, salt, salt… care to pass me the salt? Don’t! If I know your salt there’s a good chance I’ll be inside your WordPress administration panel within a week. Why? Because WordPress depends on the safety of these salts, once they are compromised the security behind authentication is relatively weak. But how?

Continue reading



WordPress Plugin Repository Phishing Scam Spam

A new phishing scam is doing the rounds and it’s targeting WordPress plugin developers. This is a very interesting attack vector, explosively damaging when successful.

Dear WordPress Plugin Developer,

Unfortunately, a plugin you are hosting has been temporarily removed from the WordPress repository. We are going to manually review your plugin because it has been reported for violating our Terms of Service. If your plugin does not get approved then it will be permanently removed from the WordPress repository.

You can check if your plugin has been approved or rejected at

http://wordpress.org/extend/plugins/my-plugin-status/

Very unconventional, not your usual e-mail or PayPal account phishing, it’s WordPress. A little short of 20000 plugins, shared among less authors, so not a lot of victims to play with. The subsequent aim of a phishing attack appears to be the modification of plugins to inject malicious code and get WordPress installations with the plugin infected. People using the plugin would then update and bring the bad code in.

Looks quite difficult to accomplish though; it’s hard enough to get a plugin developer to not notice a fake WordPress.org site, then not smell anything funny going on even if they enter their credentials. Hmmm…

The phishing site is currently disabled (404), looks like the attack has been dismantled quite quickly and efficiently. The link http://wordpress.org/extend/plugins/my-plugin-status/ now leads to a nice plugin by the WordPress team. Well done, WordPress.org for acting quickly and efficiently.

To users of plugins, be aware of sudden updates, review code, contact the authors.

Source: Warning Phishing Attempt @ WordPress.org



WordPress Pingback Attack

Yesterday I wrote a post titled On WordPress Pingbacks. While writing this I came to several conclusions that resulted in some interesting experiments and results.

WordPress Pingback Attacks

I was going to publish my results along with that post, however, I wanted to make sure that the WordPress Security mailinglist had nothing against my publishing such information. With no word from them (I guess I expected too much to be contacted back within 24 hours), I’ve decided to dedicate a whole article to the Pingback attack, its potential, its limitations and further considerations and concerns.

Continue reading



WordPress Escape Functions

The process of escaping data an important one, since the lack of thereof can lead to XSS and other naughty and unexpected things, among the legit data that just breaks specific data formats.

WordPress Escape Functions

Consider HTML attributes. Imagine you have the following simple code:

$image_src = get_uploaded_image_src(); // not any specific function
echo '<img src="' . $image_src . '" />';

What if the uploaded image is called “Horizons” by LTJ Bukem.jpg? You end up with broken HTML: <img src=""Horizons" by LTJ Bukem.jpg" />… not to worry though, WordPress comes a dozen escape functions for taking care of all these sorts of things. However, with the myriad of escaping functions provided in WordPress, it is often times difficult to remember which is which and whether there is an escape function for a specific case.

Continue reading



Random New User Password Generator for WordPress

Inspired by http://wordpress.org/extend/ideas/topic/random-password-for-new-users WordPress plugin idea, and a bit of time on my hands, I decided to code up a simple little plugin that is easy to understand and use.

Random User Passwords In WordPress

Meet the Random New User Passwords for WordPress plugin. It’s a minimum viable solution, with zero-configuration, so don’t expect much.

Continue reading



The WordPress Meta “generator” Tag Paranoia

WordPress Version

…or “WordPress Version Fingerprinting”

I have read dozens of “How to secure your WordPress” articles, and one common “tip” among others is getting rid of the “generator” tag in the HTML head, for additional security through obscurity.

WordPress uses the meta “generator” tag to “disclose” its version. The paranoia surrounding this fact is unbelievable, and they think that by removing it they harden WordPress. And that is absolutely not true.

Continue reading



The WordPress Plugin and Theme Editor Must Go

WordPress Vulnerability

…or “How WordPress Gets Hacked”

The prelude

With so many reports of WordPress sites being hacked in one way or another, I decided to see how exactly WordPress sites are being invaded. The WordPress Codex has an excellent FAQ section titled “My site was hacked“, and it’s great. Hardening WordPress is another fantastic entry that deserves even more attention.

Not so long ago, I setup a honeypot on one of my private servers. I grabbed the latest stable version of WordPress and installed it. Waiting for any new WordPress vulnerability to be exploited would not be viable (although the TimThumb vulnerability is occasionally being attempted). I considered the latest stable version of WordPress secure, correctly setup, so I chose the single weakest link in the chain, located between the chair and the screen – the Admin.

Continue reading



Surviving An Internet Blackout

When The Internet Goes Down

On the 12th of February an Anonymous posted the following pastebin: Operation Global Blackout. In case the pastebin disappears here’s the plaintext: Operation Global Blackout Anonymous.

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, the Internet will go Black.

Continue reading