Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WordPress Exploit Allows Admin Password Reset

Soulskill posted more than 5 years ago | from the probably-the-first-time-most-have-been-changed dept.

Security 100

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

cancel ×

100 comments

Sorry! There are no comments related to the filter you selected.

Rob Malda has a baby penis (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29038615)

I'm wanking off CmdrTaco right now and his cock is only 2 inches long!

Re:Rob Malda has a baby penis (0)

Anonymous Coward | more than 5 years ago | (#29046517)

That's only because fat chicks, like you, are a turnoff. If you were a hot teen boy with a tight ass and hairless crotch, my hardon would measure at least 3 inches.

Clarification (4, Informative)

Jugalator (259273) | more than 5 years ago | (#29038631)

For those who don't RTFA, this doesn't give the attacker access to the new, reset, password. That requires access to the admin's mailbox as well. So the link saying "lock an admin out" is a bit, well, not completely true. It could be true if his/her inbox is hacked, but not otherwise.

Re:Clarification (4, Insightful)

Jellybob (597204) | more than 5 years ago | (#29038665)

Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.

While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.

Re:Clarification (5, Insightful)

evanbd (210358) | more than 5 years ago | (#29039301)

If I write a script that resets your password every 3 seconds, you'll find it to be more than a minor inconvenience.

Re:Clarification (1)

RichardJenkins (1362463) | more than 5 years ago | (#29040153)

Yes, but only slightly more inconvenient. Damn script kiddies!

Re:Clarification (1)

davester666 (731373) | more than 5 years ago | (#29041695)

Yes, you'll have to do some work instead of posting to a blog all day.

Re:Clarification (0)

Anonymous Coward | more than 5 years ago | (#29042635)

Meh, I could break your 3-second script by upgrading WordPress via FTP or whatever, then no problem.

Re:Clarification (4, Funny)

Thaelon (250687) | more than 5 years ago | (#29042725)

Why wait 3 seconds?

while true; do lynx -dump <specially crafted URL>; done &

Re:Clarification (1)

gfim (452121) | more than 5 years ago | (#29046887)

Hey, my WordPress hosting is on DreamHost. There's no way that will take less than 3 seonds per iteration. So I'm safe from your DOS. Oh, wait...

Re:Clarification (1)

HiChris! (999553) | more than 5 years ago | (#29039471)

That's why you should always setup an alternate login with Administrator access. I never use the actual admin login myself - still, I just did the upgrade.

Re:Clarification (2)

hcdejong (561314) | more than 5 years ago | (#29040683)

Can't the administrator use the same hack to change the password again, regaining access?

Re:Clarification (1)

rednip (186217) | more than 5 years ago | (#29041611)

Can't the administrator use the same hack to change the password again, regaining access?

For the same reason why this crack only locks out an administrator, rather than capturing the account; one would have to encrypt their new password using the same algorithm as the application.

Re:Clarification (2, Informative)

Tumbleweed (3706) | more than 5 years ago | (#29042049)

> Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.

While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.

The admin still gets the password change notification, though, so the net effect is that someone is changing their password for them, notifying them of that, yet the attacker still can't get access to the admin login info unless they have access to the admin's email account. The admin can simply check their email for the new password, though, so they're not really locked out. Annoying, yes, but a pretty minor issue, and it's already been fixed.

Re:Clarification (1)

Stauken (1392809) | more than 5 years ago | (#29044027)

Just because no one has pointed it out, the administrator also likely either has access to the database or knows someone who does. Even if you don't have the ability to utilize the SAME algorithm that Wordpress uses (Which unless they did something special that most PHP programmers don't do, it's most likely just MD5), it's not hard to create an additional user that you DO know the password to and then do UPDATE wp_users SET password=(SELECT password from wp_users where user_id=knownpwid) where user_id=adminid .. well, with whatever the fields would be in wordpress (don't have the database open in front of me). Not the easiest thing in the world, but even if this was some end-all be-all 'lock out the admin' and did not generate a notification, unless the entire database becomes compromised (which would probably be indicative of having bigger problems than a buggy wp) the fix is always available and will work universally.

Re:Clarification (1)

MikeRT (947531) | more than 5 years ago | (#29038731)

It may indeed be a minor problem for admins, but if it affects regular users, it could cause a boat load of grief to the site's admins if someone automates a process for resetting passwords.

Re:Clarification (1)

EasyTarget (43516) | more than 5 years ago | (#29038963)

AFIK it can only affect the built-in admin accounts password (because this is always the 'first' password in the database); normal users cannot be locked out.

Re:Clarification (1)

Shakrai (717556) | more than 5 years ago | (#29039097)

it will cause a boat load of grief to the site's admins when someone automates a process for resetting passwords.

Fixed that for you :)

Re:Clarification (1)

kchrist (938224) | more than 5 years ago | (#29038803)

True. While I won't go so far as to say this is a non-issue, it's an annoyance rather than a security problem. The worst case scenario is that you have to log in using a different password, one that's sitting in your mailbox, and then change it back. No passwords are disclosed and no access is granted to the "attacker".

Granted, if your email account is also compromised, this will give the attacker access to your Wordpress site, but if they have access to your mailbox, they could already reset the password using the normal means.

So yeah, get the update when you have a chance but it's nothing to lose sleep over in the meantime.

Re:Clarification (1)

dubbreak (623656) | more than 5 years ago | (#29038999)

RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual. Yes, the attacker can't get the password, but the admin doesn't get it either.

Re:Clarification (1)

genner (694963) | more than 5 years ago | (#29039161)

RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual. Yes, the attacker can't get the password, but the admin doesn't get it either.

So, you just need to reset the password again using normal means.

Re:Clarification (3, Informative)

makomk (752139) | more than 5 years ago | (#29041551)

RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual.

Except that's not actually what it says, and even if it was TFA states otherwise:

As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

The e-mail that doesn't get sent is the one asking the user to confirm they want to reset their password, since that step is bypassed by the exploit.

Re:Clarification (0)

Anonymous Coward | more than 5 years ago | (#29041271)

htaccess restrict admin page to certain IPs..... works on the CMS and wikis i use..... still surprised it's not a standard feature....

The great fallacy of root passwords (-1, Redundant)

BadAnalogyGuy (945258) | more than 5 years ago | (#29038681)

None of my systems have root passwords. But I am not vulnerable.

While this may, at first glance, seem to be foolhardy, the key to this is that there are no root accounts on any of my systems. A root account is itself the biggest vulnerability, exploitable by any root-access flaw. By removing the account and accounts like it, there is no surface area to attack. At least, there is no vulnerability that puts my whole system at risk.

Is it difficult to work without root access? No, not really. The key is to take frequent backups to return the system to a known state if there is any chance of infiltration.

Re:The great fallacy of root passwords (1)

TheLink (130905) | more than 5 years ago | (#29038915)

This is not about root passwords. This is an admin password to a blog system or CMS.

You're going to need admin accounts as long as you want to have different classes of users and have certain users manage some stuff.

Re:The great fallacy of root passwords (1)

Knoeki (1149769) | more than 5 years ago | (#29038937)

so what do you do when you want to install an update? :_)

Re:The great fallacy of root passwords (1)

cbiltcliffe (186293) | more than 5 years ago | (#29039227)

so what do you do when you want to install an update? :_)

"return the system to a known state" :-)

My question is, how does he do backups, if no account has permission to access those system files that only root can access?
Or has he done a "chmod g+rw -R /", and added himself to every group on the machine?
Or maybe "chmod a+wrx -R /"?

Re:The great fallacy of root passwords (1)

BlueKitties (1541613) | more than 5 years ago | (#29038969)

Don't be silly. Setup a root account, setup sudo permissions, and then use the sudo authority when you need to do something instead of su or logging into root. You can still have your root, just don't use it unless you absolutely have to, and when you do access it via the terminal from a non-root user.

Re:The great fallacy of root passwords (1)

cbiltcliffe (186293) | more than 5 years ago | (#29039141)

Disabling the ability to login as root/administrator does not remove the account from the machine.

The kernel on a *nix machine still runs at the same privilege level, along with a bunch of system daemons.

Same with Windows. You can't log in as Administrator on an XP Home machine....until you boot in safe mode. But programs can still run with administrator privileges, even when the account forbids login.

In fact, completely removing the root/administrator account on a machine would probably render it non-bootable, or at least very screwed up.
Keep in mind, you need root/admin privileges to bring up network interfaces, directly access hardware for sound, video, or other output, and a bunch of other stuff. So with no root privs on the machine at all, you can't get sound, networking, or video, unless you assign regular users to be able to access those hardware interfaces, at which point you've just replaced the root account with a differently named root account, which you run all the time, thereby lowering your security, instead of improving it.

Re:The great fallacy of root passwords (1)

TheRaven64 (641858) | more than 5 years ago | (#29040981)

The kernel on a *nix machine still runs at the same privilege level, along with a bunch of system daemons.

No it doesn't. The kernel runs in ring 0 with no user account. When making a system call into the kernel, a classical *NIX machine will check whether the call is made by UID 0 (root) but the kernel itself is not running as the root user. On a more modern system, there are privilege elevation mechanisms that allow the kernel to perform privileged operations on behalf of other users, so you don't need the root user at all.

Re:The great fallacy of root passwords (1)

cbiltcliffe (186293) | more than 5 years ago | (#29041153)

I didn't say the kernel ran as root. I said it runs at the same privilege level. Meaning, removing the root account will still leave any root exploit in the kernel just as open as it was before.

Re:The great fallacy of root passwords (2, Informative)

TheRaven64 (641858) | more than 5 years ago | (#29041585)

The kernel does not run at the same privilege level as root. Root is a user which the kernel allows to access (some) privileged services. Root programs run in ring 3 (on x86, unprivileged mode on other platforms), while the kernel runs in ring 0 (or privileged mode on non-x86 platforms). The kernel can access physical hardware directly. The root user can not, they can only request that the kernel access it on their behalf. On some UNIX systems there is a device node which allows a sufficiently-privileged user to map arbitrary memory pages, however this is not something that root can do without the kernel exposing this device and without the kernel deciding which userspace processes are allowed to do so. A program running as root can not, for example, write to a device or alter the page tables without the kernel mediating this.

A privilege escalation vulnerability in the kernel may or may not be related to the root user. Often they are not, for example the recent SCTP vulnerability in Linux permitted arbitrary code to be run in kernel space, meaning that the root user was completely irrelevant. Other privilege escalation vulnerabilities only allow you to run your code as if it were run by root, in which case systems like SELinux or system immutable flags in the filesystem may still prevent you from doing things you want to.

Re:The great fallacy of root passwords (1)

cbiltcliffe (186293) | more than 5 years ago | (#29044133)

Ok....vagueness in the English language breaks conversation yet again.

When I said "The kernel runs at the same privilege level," you thought I meant the kernel ran at the same privilege level as root.

I meant the kernel runs at the same privilege level regardless of whether the root user exists or not.

Perhaps I should have continued my sentence, rather than implying that....

Re:The great fallacy of root passwords (1)

TheRaven64 (641858) | more than 5 years ago | (#29045637)

Ah, that makes sense. Rereading your original post in that context, you are completely correct - sorry.

Full disclosure a day after discovery? (5, Interesting)

SmitherIsGod (914108) | more than 5 years ago | (#29038719)

Is that not a bit soon? Especially with wordpress - it's going to be ages before many people update, and it's not a critical problem.

Re:Full disclosure a day after discovery? (1)

wytcld (179112) | more than 5 years ago | (#29042403)

Since updating Wordpress is just a matter of pushing a button on the administrative screen, even being lazy is little reason not to go ahead.

Re:Full disclosure a day after discovery? (1)

Krischi (61667) | more than 5 years ago | (#29042853)

Except that new versions have become more memory-hungry, and any sysadmin worth his money will limit the amount of memory that a PHP script is allowed to take. If it is insufficient for the new version, the automatic upgrade will just fail silently. Not so good.

ladies, get your pussies ready! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29038727)

I watched tucker max's "revolutionary" movie last night... to quote the critic, "it stinks". It's the Battlefield Earth of comedies, but without John Travolta. It's not theatre material. It's not even straight to DVD material. It's more like a case study in how not to make a movie.

Call me a hater, but I wouldn't care if it hadn't been hyped. "Anything the hangover can do, we can beat?" Funnier than any joke in the movie, that's for damn sure.

Nigger Code (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29038747)

Sounds like some type of nigger (sand nigger, curry nigger, rice nigger, black nigger etc..) wrote this code.

My copy of wordpress doesn't have this problem (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29038977)

That's funny, my copy of Wordpress is not vulnerable to this issue. Oh wait, I tweaked things so that all of the logins and the like go over a separate, password-protected SSL connection. https://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= just won't work :) Obviously this won't work if you let arbitrary users login to your wordpress account.

Re:My copy of wordpress doesn't have this problem (0)

Anonymous Coward | more than 5 years ago | (#29039213)

Come, let us bask in the warm glow of your smugness. ;o)

Re:My copy of wordpress doesn't have this problem (0)

Anonymous Coward | more than 5 years ago | (#29040071)

Sorry, I did word that a bit smugly. However, my point remains. Having multiple layers of security, on the assumption that one of them may fail, is a good idea. It is not too much effort to use an https connection for files that involve registered users.

Actually, I go a bit further; the access to wp-login (and other files) is restricted by an ip address whitelist.

Re:My copy of wordpress doesn't have this problem (0)

Anonymous Coward | more than 5 years ago | (#29041919)

An IP whitelist is somewhat risky, unless you have at least 1 IP you know for certainty won't change. My (and likely nearly everyone else's) home ISP can, but usually doesn't, change my IP at will. Sure, I could "upgrade" to business class, and get the same speed for literally 4x the cost just to have a static IP.

But, yea, if you know for 100% sure your IP won't be changed, it seems like it would be a good thing to do.

Re:My copy of wordpress doesn't have this problem (1)

belg4mit (152620) | more than 5 years ago | (#29046413)

And how did you manage to get wordpress to not insist on redirecting everything to a single host?

That's why I stopped using Wordpress (4, Insightful)

krovisser (1056294) | more than 5 years ago | (#29039111)

I was tired of constantly having security issues and having to upgrade. Isn't there less feature-filled blog app out there that's all lightweight and whatnot?

Re:That's why I stopped using Wordpress (1)

hesaigo999ca (786966) | more than 5 years ago | (#29039651)

drupal

Re:That's why I stopped using Wordpress (0)

Anonymous Coward | more than 5 years ago | (#29039675)

I'd rather run software that gets security updates often than never. Not getting updated often has very little to do with how secure the software actually is.

Re:That's why I stopped using Wordpress (1)

BitHive (578094) | more than 5 years ago | (#29039717)

Radiant CMS [radiantcms.org]

Re:That's why I stopped using Wordpress (0)

cosmotron (900510) | more than 5 years ago | (#29039767)

You could write your own... A blog is incredibly simple to write if you want featureless and lightweight. It can be as simple as having entries be rows in a database and then displaying them in some order, haha.

Re:That's why I stopped using Wordpress (1)

CannonballHead (842625) | more than 5 years ago | (#29039957)

I wrote my own, very simple one. All I wanted was a way to add blurbs to one page and display the first X of them or whatever. Pretty simple.

Re:That's why I stopped using Wordpress (2, Insightful)

Deanalator (806515) | more than 5 years ago | (#29040003)

*laugh explosion* Ya, that's an awesome idea for making sure your app is secure. Remember that old rule about writing your own crypto? That still applies today to CMS webapps. Unless you have a *set* of friends that pentest webapps professionally, writing your own CMS is an absolutely terrible idea.

Re:That's why I stopped using Wordpress (1)

billcopc (196330) | more than 5 years ago | (#29040339)

Securing a simple web app is mostly a matter of sanitizing your inputs (and sometimes the outputs as well). A good developer should be able to almost intuitively predict the weak points in an app and harden those. Sure, if you're just an average MCSE copy/pasting code from any random forum, you're asking to get owned, but if you understand what your data is doing and why, then it should be a natural part of your development process to identify what does and doesn't belong in your data structures, and ensure that nothing else gets in or out.

Re:That's why I stopped using Wordpress (1)

MikeBabcock (65886) | more than 5 years ago | (#29040479)

... and yet contrary to your assumptions, it would seem that professional programmers get this wrong on a regular basis, at least according to the security mailing lists I'm on.

Trusting someone worthy of your trust is much lower stress not to mention lower effort than rolling your own every time you need an application.

Re:That's why I stopped using Wordpress (0)

Anonymous Coward | more than 5 years ago | (#29042545)

... and yet contrary to your assumptions, it would seem that professional programmers get this wrong on a regular basis

He said "good developer", not "professional".

Re:That's why I stopped using Wordpress (1)

billcopc (196330) | more than 5 years ago | (#29047675)

Thank you, AC. It's nice to know some people can still tell the difference between the two.

One works for the money, the other is a developer.

Re:That's why I stopped using Wordpress (1)

Deanalator (806515) | more than 5 years ago | (#29079833)

"sanitizing inputs" is not a trivial task. Significant work has been done to break out of even the most sound sanitization and parameterization techniques, even the ones built into the various programming languages.

Almost no developers are aware of this research, and even if they do think about sanitization, they often end up just doing a simple regex.

Re:That's why I stopped using Wordpress (1)

gknoy (899301) | more than 5 years ago | (#29040539)

If your blog app only reads from a database, and never writes to it, what needs securing? You can write other tools to write to the db.

Re:That's why I stopped using Wordpress (1)

cosmotron (900510) | more than 5 years ago | (#29067157)

I wasn't recommending writing a full featured CMS, that would be crazy. Writing an application that grabs a row from a database is not hard and one would have to be _trying_ to make it vulnerable to do so.

Re:That's why I stopped using Wordpress (1)

krovisser (1056294) | more than 5 years ago | (#29042945)

Actually, I have. but as someone mentioned a few posts down, I doubt it's as secure as I'd like. It was mainly just to see if I could. See, I'd like a website that maintains itself, so I can maintain all the projects I put on the site, instead of the site itself.

Re:That's why I stopped using Wordpress (3, Insightful)

Deanalator (806515) | more than 5 years ago | (#29040127)

blogspot

Unless you have a team of developers and pentesters constantly maintaining your blog, you are better off getting it hosted somehwere else. Any given blog instance that is not properly maintained is only going to remain secure for about 6 months or so. If you, or you and a few people, or even a small company just want a simple blog to post stuff on, and you don't want to hire a staff of infosec monkeys, blogspot is definitely the way to go. The code is maintained by google, and data is redundantly backed up for you for free.

Re:That's why I stopped using Wordpress (1)

DNS-and-BIND (461968) | more than 5 years ago | (#29049599)

#1 I tend not to trust blogspot so much, for the same reason that I never trusted geocities sites back in the day. #2 Blogspot is blocked in a lot of places. I hate when someone sends me a link in a breezy tone, never thinking that it might not be accessible everywhere.

Re:That's why I stopped using Wordpress (1)

m50d (797211) | more than 5 years ago | (#29050023)

Blogspot is blocked in a lot of places. I hate when someone sends me a link in a breezy tone, never thinking that it might not be accessible everywhere.

You deserve that one. If you can't access arbitrary locations on the internet, that's your own fault for sucking. What's the alternative, I should always copy-paste a complete website rather than sending a link?

Re:That's why I stopped using Wordpress (1)

DNS-and-BIND (461968) | more than 5 years ago | (#29060677)

Uh, my own fault? By defintion, a blocked site is beyond my (or anyone's) control. The alternative is to use websites that everyone can access, rather than the self-defeating behavior of limiting information to people with the luxury of unlimited internet access.

Re:That's why I stopped using Wordpress (1)

m50d (797211) | more than 5 years ago | (#29064743)

Uh, my own fault? By defintion, a blocked site is beyond my (or anyone's) control.

If your ISP isn't giving you internet access, unfiltered, then that's your fault for not getting a better one. Likewise for your employer.

The alternative is to use websites that everyone can access

Which I'm supposed to figure out how? I should hack into all my friends' networks and read their blocklists before sending them anything?

Re:That's why I stopped using Wordpress (1)

Deanalator (806515) | more than 5 years ago | (#29080009)

I have a hard time understanding the concept of a site being blocked.

If a website that you are supposed to be able to see is blocked, then complain, move, or bounce past the blockage.

It's not that big of a deal (1)

PCM2 (4486) | more than 5 years ago | (#29041431)

I run a site on Wordpress and managing the software updates has never been a big deal for me. I have shell access at my hosting provider, so I initially just installed Wordpress using CVS. Every time they rolled out a new bugfix, I just ran a little shell script like: "update "

With recent versions of Wordpress, though, you don't even need to do that. When a new update is available, an alert appears on your admin dashboard. From there, you can actually click a button and have the system download the update and install it automatically. I know it can be a pain when to backup your database etc., but in all honesty, for minor point bugfix updates all that is seldom if ever necessary (especially if you're diligent with backups in the first place).

Re:That's why I stopped using Wordpress (1)

siliconincdotnet (525118) | more than 5 years ago | (#29042335)

Try Movable Type. It's maybe not what I'd really call "lightweight", but it isn't huge either.

Re:That's why I stopped using Wordpress (1)

skeeto (1138903) | more than 5 years ago | (#29042813)

I use blosxom [sourceforge.net] , which is extremely lightweight. The only way to get lighter is to have a static blog. It's only about 800 lines of Perl in a single script, so anyone who knows a little programming can easily become intimate with it. Many people who use it, including me, slowly modify it over time [plover.com] to fit our needs, molding it like a piece of putty. Its small size, with its worse is better [plover.com] tradeoffs, makes it pretty robust in terms of security, because there isn't any complexity in which to have vulnerabilities emerge.

In the two years I have been using it I'm only aware of one vulnerability, which was a mere cross-site attack where a specific argument in a URL could inject HTML. If you renamed the script from the default (which should be done out of caution anyway) and had on URL rewriting, then you were immune.

The only downsides are no comment system and lack of navigation links, though there are plugins for those features.

Re:That's why I stopped using Wordpress (1)

skeeto (1138903) | more than 5 years ago | (#29042983)

To reply again with another tool,

There's a neat blog generator called Thingamablog [sourceforge.net] , which generates a static blog, and therefore has no vulnerabilities itself. Write entries offline, generate the static HTML, then sync that up to the server. Because there is no dynamic content, it works for hosts that only serve static content (like on Freenet, which can only "host" static pages) and minimizes the work done by the server. It's still pretty feature rich, with categories, and good navigation.

The downside lack of comment system, since the whole thing is static. There are workarounds, though. It also stores everything in a little database that could be a lot better.

Re:That's why I stopped using Wordpress (1)

ReformatMe (1519913) | more than 5 years ago | (#29045525)

Why has nobody mentioned Habari? It's designed effectively as a less bloated version of WP. http://habariproject.org/ [habariproject.org]

PHP is the problem (0)

Anonymous Coward | more than 5 years ago | (#29046165)

The problem is php, not really wordpress. All self-managed php online software is full of security holes / constant updates. That's the life of php...

Re:That's why I stopped using Wordpress (1)

dasuser (1173323) | more than 5 years ago | (#29083981)

Humorously enough, a friend and I stated rolling our own minimal blog software after realizing that a base install of Wordpress is over 6 MB.

It supports comments, multiple posting users, categories, has RSS, will let you theme it (although there is still a bunch of hardcoded HTML generation that we're working to remove for the next major revision) and is less than 300 KB installed.

Sourceforge project at http://sourceforge.net/projects/blobblogsystem/ [sourceforge.net]

Thanks (1)

Liquidretro (1590189) | more than 5 years ago | (#29039115)

Thanks for the notice. I just logged in and upgraded mine. Now to do the other sites later tonight.

Re:Thanks (2, Funny)

D Ninja (825055) | more than 5 years ago | (#29039411)

Now to do the other sites later tonight.

What, by chance, is the web addresses for your other sites.

No particular reason why I'm wondering. Just...um...want to read your blogs...

Re:Thanks (1)

Liquidretro (1590189) | more than 5 years ago | (#29040407)

hahahaha not falling for this one bud.

Re:Thanks (0)

Anonymous Coward | more than 5 years ago | (#29041555)

My domains just expired, so I'll give you the IP address:

http://127.0.0.1/ [127.0.0.1]

Dear Slashdot, (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#29039127)

please hide all the elements if the AJAX reply is "Moderated 'Interesting.' 0 points left."
Thank you.

Love,
Your #1 fan.

PS: In "preview," blank lines don't show up between the paragraphs if I'm using 3*CRLF or the

elemenet.

Love,
Your #1 fan.

Re:Dear Slashdot, (0)

Anonymous Coward | more than 5 years ago | (#29039273)

PS: In "preview," blank lines don't show up between the paragraphs if I'm using 3*CRLF or the

elemenet.

I meant "the <p> element."

Love,
Your #1 fan.

PS: Dear Slashdot,
I cannot change my password without knowing my old password, even if I click on a "password reset" link.

Love,
Your #1 fan.

Code is Poetry (3, Interesting)

pathological liar (659969) | more than 5 years ago | (#29039685)

If Code is Poetry then Wordpress is some 15 year old's notebook scribblings on angst, Twilight and Dashboard Confessional.

If you're looking for alternatives that don't have gaping security issues with seemingly every release, check out Serendipity [s9y.org] .

Re:Code is Poetry (1)

BlueKitties (1541613) | more than 5 years ago | (#29039807)

Thy yonder Polygon, abstract yet concrete. From you the children of my loin spawn, deriving, overriding, and perfecting the methods of beauty you have defined. From thy concepts yee encapsulate the very essence of area and parameter, yet remain pure without implimentation. Still yet, thy dynamic children are best left outside of inner loops because virtual table lookups hurt performance. Oh, the resolve of thy methods, the polymorphism of thy soul.

Re:Code is Poetry (0)

Anonymous Coward | more than 5 years ago | (#29039815)

and slashdot is the bathroom stall scribblings of a gay nerd in search of cock.

Re:Code is Poetry (1)

BlueKitties (1541613) | more than 5 years ago | (#29039891)

Thy Anonymous Coward, bold yet mysterious. Thy e-peen so small, yet full of self pleasure, tucked in thy hand. Thee take pleasure in boldness, yet lack the courage to face us account-to-account. Like a creepy gym teacher, thee read the stall, dreaming of responding to the scribbling, hoping for the day thy will present thy e-peen. But alas, you're not man enough.

Re:Code is Poetry (1)

Thalagyrt (851883) | more than 5 years ago | (#29040787)

This made me think of Wario Ware: Smooth Moves explaining the various forms.

PHP is doggerel (1)

hessian (467078) | more than 5 years ago | (#29042457)

It seems that most PHP apps have this problem because they encourage a "macro script" mentality.

Perl FTW.

Re:PHP is doggerel (0)

Anonymous Coward | more than 5 years ago | (#29044709)

Yes, much better to have a blog that is implemented on one line and looks like line noise.

Just kidding! I like and program in both Perl and PHP :)

WordPress is Awesome (3, Informative)

mrspecialhead (211339) | more than 5 years ago | (#29040691)

*opens dashboard, presses "Upgrade to 2.8.4" button*

Fixed. :D

Re:WordPress is Awesome (3, Insightful)

dubbreak (623656) | more than 5 years ago | (#29042169)

*opens dashboard, presses "Upgrade to 2.8.4" button*

Fixed. :D

Not sure why you got modded down (probably just the way you put it). Upgrading Wordpress is trivially easy.

Exploits happen, and this is a pretty minor one (just an annoyance, not user permission escalation, admin rights etc). They got a fix out quick and it's easy enough to apply.

Don't get it (1)

cowdung (702933) | more than 5 years ago | (#29041131)

I'm not a PHP expert, but why does this work?

      $key = preg_replace('/[^a-z0-9]/i', '', $key);

        if ( empty( $key ) )
                return new WP_Error('invalid_key', __('Invalid key'));

        $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
user_activation_key = %s", $key));
        if ( empty( $user ) )
                return new WP_Error('invalid_key', __('Invalid key'));

Is it because the $key is an array and that somehow makes the $user get a value?

Re:Don't get it (3, Informative)

MtlDty (711230) | more than 5 years ago | (#29042999)

There is a discussion about the vulnerability on StackOverflow [stackoverflow.com]

Bah most web programs have that bug (1)

Orion Blastar (457579) | more than 5 years ago | (#29041371)

for the password reset. You enter the Admin's user ID and click on a "Forgot password" button or link and it emails a new password to the email the Admin uses.

Some software like Scoop has it and the new password is only good for a few days or so, in case the user or admin didn't request a new password and it allows the old password to work until the new password is used. Only the new password is emailed to the email address on file.

Now if it showed the new password on the web page, that would be locking out the admin from their account as the exploiter can log in as the admin and then change the email the password is reset back to and lock the admin out. But in this scenario the admin gets an email with a new password and if he or she reads the email, they can log back in. They aren't locked out if they read the email that has the new password.

PHP is to blame (2, Informative)

sverrehu (22545) | more than 5 years ago | (#29042521)

It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.

How many of you PHP developers out there knew that? I didn't. And I had to dig quite a bit to find a reference to this behaviour in the docs.

So, incoming stuff from the URL or the POST data are no longer strings all the time. Can they magically become other things than strings and arrays as well? Maybe not now, but what if some PHP developer thinks up another "nifty" feature _after_ I read the docs; how then am I supposed to protect my application in the future? Do I need to re-read the docs every time I upgrade PHP?

And is there a way to turn this "we know better than you what you need"-behaviour off?

I'm sick of seing framework developers add "nifty" features that you have to know about in order to write secure code. It's not only PHP, but also several highly popular Java frameworks that I work with these days. Some of them make it quite easy to write to object fields that are normally out of reach of the input fields in a form.

I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).

Re:PHP is to blame (1)

Zaiff Urgulbunger (591514) | more than 5 years ago | (#29043071)

I must admit that I didn't, and it is bothering me a bit. As I was reading the disclosure, before I got the the example, I did kind of think maybe the bug was going to be something like:

http://example.com/reset.php?key=&key=
If it had been that, that would (to my mind) be more reasonable for it ($_GET['key]) to return an array, but yeah, the square brackets = an array is totally new to me.

PHP seems to be full of far far too much "helpful" crap like this!

Re:PHP is to blame (1)

bobdown2001 (528975) | more than 5 years ago | (#29045427)

I actually thought the ability to pass an array via a query string was actually more part of the HTTP standard than something that was developed especially for PHP.

Re:PHP is to blame (0)

Anonymous Coward | more than 5 years ago | (#29048635)

It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.

How many of you PHP developers out there knew that?

I think any PHP developer would know that. But, you still need to access that variable from $_GET / $_POST / $_WHATEVER, it doesn't magically appear in your app (with sane defaults like register_globals = off). If you do but don't bother to filter your input [php.net] , you can't blame PHP for that.

Re:PHP is to blame (0)

Anonymous Coward | more than 5 years ago | (#29049213)

How many of you PHP developers out there knew that? I didn't.

I did. And I do not consider myself a PHP developer.

Do I need to re-read the docs every time I upgrade PHP?

Depends on what you want. If you want to know precisely what is going on, then you need to read every changelog at the least.
Of course.

And is there a way to turn this "we know better than you what you need"-behaviour off?

Stop using PHP, or alternatively: read the changelog / docs and see what they changed, and how to tweak it.
When I was actively devving PHP, PHP usually offered a way to turn this "we know what you need" behaviour off.

I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).

Paraphrasing:

The moment they make something foolproof, an improved fool will come along

Here's the thing: know what you're using. If you want to secure your house, you can just buy an expensive lock. Or you check out what the best lock is, and try to find out weaknesses of locks. And you find out what locks are good for, and what they don't do. And then you get the lock that fits your needs, and you don't expect more of it.

As with most things, putting in time pays off. But the payoff is not always sufficient to put in the time.

By the way, if you believe wordpress is secure, think again. PHP is not to blame for insecure PHP applications, the apps are to blame.
And wordpress is a humongeous app, and it has its share of problems. Don't expect rock-solid security from it.
(Then again, if you want rock-solid security, why on earth are you blogging anyway??)

Stupidity (3, Insightful)

pkretek (247414) | more than 5 years ago | (#29043907)

I wonder why somebody would code that part the way they did it. As far as I understand it, they are trying to validate code by blacklisting instead of whitelisting:

(from http://core.trac.wordpress.org/changeset/11798 [wordpress.org] )
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
    die();

If you expect a hash you generated yourself, why don't you test if it preg_matches the spec you used to generate it in the first place? (/^[a-zA-Z0-9]{20}$/ in this case)

Well that and being naive enough to expect $_GET["key"] to always return a string....

Re:Stupidity (2, Informative)

Skadet (528657) | more than 5 years ago | (#29044841)

Right, I wondered myself why there was no validate_key_is_valid() function, or even a simple cast for that matter. $key = (string)$key.

On the other hand, this isn't exactly PHP's fault (or MySQL's, for that matter). The query:

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));

They're selecting a row (the user) by a column (user_activation_key) that can be blank. Not NULL but literally an empty string. Bad.

number10.gov.uk (0)

Anonymous Coward | more than 5 years ago | (#29050549)

number10.gov.uk anyone? :)
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?