×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wordpress 2.1.1 Release Compromised by Cracker

Zonk posted more than 7 years ago | from the not-my-emo-comments-and-angsty-statements dept.

Security 48

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

48 comments

Damn crazy crackahs. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18215714)

Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

Seriously, it's "hacker" now. Give up.

Re:Damn crazy crackahs. (4, Funny)

User 956 (568564) | more than 7 years ago | (#18215826)

Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

I thought the politically-correct term for "cracker" was "caucasian-american"?

Re:Damn crazy crackahs. (0, Troll)

linvir (970218) | more than 7 years ago | (#18215900)

it's "hacker" now. Give up
Fukken seconded.

Re:Damn crazy crackahs. (2, Funny)

PietjeJantje (917584) | more than 7 years ago | (#18216106)

What about this arrangement: let us all agree here to call hackers crackers from now on, and don't tell the media. This should fix things and create a clear divide again. Now excuse me while I'm off cracking some new code.

Re:Damn crazy crackahs. (0)

Anonymous Coward | more than 7 years ago | (#18217392)

It's not the first time media has hijacked [wikipedia.org] a word. Very useful.

Re:Damn crazy crackahs. (1, Insightful)

linvir (970218) | more than 7 years ago | (#18217462)

  • Hacker
    A very, very naughty boy who does wicked, wicked things to other peoples' computers, and brags about it on websites with black backgrounds and green text. Used to mean programmer, but doesn't any more. The old meaning is still used by old programmers living in the past, and by new programmers wishing to associate themselves with both programmers and naughty boys simultaneously. Nobody who calls themselves a "hacker" or refers to their activities as "hacking" is worth any of your time or money, no matter whether their surname is "Stallman" or "Mitnick".
  • Cracker
    A word invented by programmers who liked calling themselves hackers, didn't want to lose the term to the naughty boys, and thought that if they just pulled a new word out of their arse, people would gladly learn it and use it. Finally took its last breath when black Americans began to use it as a counterpart to the derogatory word "nigger". Nobody (nobody) calls themselves a "cracker" or refers to their activities as "cracking".

Re:Damn crazy crackahs. (1)

maggard (5579) | more than 7 years ago | (#18218348)

Clever except that "hacking" predates software coding as a trade and calling certain folks "Crackers" predates both.

Nicely formatted tho'.

Re:Damn crazy crackahs. (1)

undoIT (1070894) | more than 7 years ago | (#18216126)

ya know. if i was a smacka jacker cracka crack hacker, i'd be all up in the spam co's databases, emolating their servurz

Re:Damn crazy crackahs. (0)

Anonymous Coward | more than 7 years ago | (#18217336)

Seriously, it's "hacker" now

Yeah, that's what crackers have been trying to convince us of all along.
I would settle for 'wannabee' or 'kiddie' though, and recently I added 'spammer' to that list.

PHP and certificates (1)

MichaelSmith (789609) | more than 7 years ago | (#18215732)

Makes me wonder if the PHP VM could do a hash of the application code and compare that with a certificate from the source of the application. I know that the injected code in this case would have been certified, but it would make it easier to identify sites which had not been upgraded.

Isn't that a job for the app? (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18215838)

Have a really simple index.php, which can then verify the source of the rest of the app (include files, etc)?

But really, I don't think this accomplishes a hell of a lot. It wouldn't help you know which ones haven't been updated, for one thing...

NO (1)

cortana (588495) | more than 7 years ago | (#18216428)

If it is a job for the app, then everyone will implement it themselves, and no one will do it right.

So what? (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18220118)

That will happen anyway.

If you put it in the app, there's at least a chance it'll be done right by some library that everyone ends up using. If you put it in the interpreter, the interpreter gets crufty for everyone, including people who don't care about source code signing, and people who might have a legitimate reason for implementing it a little differently.

Or, let me make this very simple: If we were talking about C, would you be in favor of including it in the operating system? Or the C compiler?

Re:PHP and certificates (0)

Anonymous Coward | more than 7 years ago | (#18215966)

A simple PGP sig on the distributed .tar.gz would have been enough. Just like everyone else with clue does it.

Re:PHP and certificates (1)

Jessta (666101) | more than 7 years ago | (#18216218)

When should this hash check be done?
on every page request?
I can imagine that slowing requests down a bit.

Made it easier for ... (2, Insightful)

asifyoucare (302582) | more than 7 years ago | (#18215736)

Zonk, what do they pay you for?

Re:Made it easier for ... (1)

Pyrex5000 (1038438) | more than 7 years ago | (#18215748)

It's late at night. Nothing like a bottle of Mountain Dew and a flame war to keep the programmers awake. So, how about that PHP?

Re:Made it easier for ... (1, Flamebait)

DavidHOzAu (925585) | more than 7 years ago | (#18215770)

Oh please. Lay off the Zonk bashing. Read the summary and note that it was not written by Zonk.

Don't like the stories? Then take a drink from the FireHose [slashdot.org] and mod up the contributions that interest you.

Re:Made it easier for ... (1)

GrumpySimon (707671) | more than 7 years ago | (#18215790)

Yes, my bad. I was moving stuff around & trying to make it coherent. I must have missed that. You may mock me mercilessly.

Re:Made it easier for ... (1)

Goaway (82658) | more than 7 years ago | (#18217446)

The reason one has editors, normally, is to catch such mistakes and fix them before the thing is published. Of course, Slashdot "editors" do not do any actual "editing".

It makes Slashdot "more real", according to Taco!

Zonk gets *paid*?! (0)

Anonymous Coward | more than 7 years ago | (#18215912)

For what? Posting idiotic dupes, screeds of Australian non-stories, or links to adblogs such as Roland Piquep- oh, I get it...

What you say!! (-1)

Anonymous Coward | more than 7 years ago | (#18215782)

made it easier for to execute code remotely...
All your blogs are belong to us.

Key Details (5, Informative)

Kelson (129150) | more than 7 years ago | (#18215794)

From the article, and from some comparisons I did on the downloads:

  • The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
  • Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
  • If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
  • 2.1.2 also includes a fix for a cross-site scripting vulnerability [wordpress.org] discovered a few days ago, so it's worth updating anyway. (diff)

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

Re:Key Details (2, Insightful)

djupedal (584558) | more than 7 years ago | (#18215852)

'...confirming that the initial release was unaffected.'

No, sorry.

It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

"If you downloaded 2.1.1 when it was first released, it's probably okay. "

'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

Re:Key Details (1)

Kelson (129150) | more than 7 years ago | (#18216008)

It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

Good point. In this case, the WP folks seem certain it was compromised within the last four days, but you're right, my data point doesn't confirm anything later than whatever time of day it was on Feb. 21.

What I was trying to say was that what I've seen is at least consistent with the timeline that Matt presented. I guess I took the logic a bit too far.

Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

True. The effort to upgrade is a lot less than the risk of having missed something. For the record, I upgraded to 2.1.2 immediately, even after verifying my copy. I just felt a lot calmer about the process.

Re:Key Details (1)

slack_prad (942084) | more than 7 years ago | (#18216222)

Don't they use md5 hashes for integrity check?

Re:Key Details (1)

DrSkwid (118965) | more than 7 years ago | (#18216298)

md5 alone wouldn't be any use, it's been compromised for comparing the identity of two data blocks.

Re:Key Details (1)

maxume (22995) | more than 7 years ago | (#18218464)

Is a locked door that is less than indestructible useless?

(That is, if the cracker that did this wasn't able to generate an attack on the md5, it would have mitigated the consequences(assuming somebody bothered to check))

Re:Key Details (1)

Kelson (129150) | more than 7 years ago | (#18218912)

The "download archive" page (which lists every public release since WordPress branched from B2) provides MD5 hashes, but they're not linked or listed from the main download page for some reason. It's also not made clear on the page whether the MD5 hash is of the ZIP archive or the tar.gz archive.

So while the hash is there, probably only 1% of downloaders would even see that it exists.

Re:Key Details (1)

kripkenstein (913150) | more than 7 years ago | (#18216236)

Given these details, this raises the (recurring) issue of where it is safe to get software from. I generally assume that I am fairly safe in using only stuff from my distro's repositories, rather than getting the bleeding-edge versions from individual sources. But I guess I am presuming that central repos are better-secured and more carefully monitored than separate ones - well, perhaps not necessarily on average, but at least from a worst-case perspective (lots of different sources means more chances for at least one mistake to occur).

Cracker (0, Redundant)

Bo'Bob'O (95398) | more than 7 years ago | (#18215930)

First time I read that headline, I wondered for a second why it was significant it was compromised by a white guy.

Re:Cracker (1)

ThomasHoward (925022) | more than 7 years ago | (#18215956)

Script kiddie would be a better term, regardless of technical knowledge, the person had the attitude of a script kiddie.
I hope they catch the worthless sack of shit that did it, too bad that probably wont happen.

Re:Cracker (1)

undoIT (1070894) | more than 7 years ago | (#18216230)

"I've been crackered!"

Parse error: syntax error, unexpected $end in /home/myaccount/public_html/weirded/wp-admin/admin -functions.php on line 2327
...unless i just forgot my site is installed in a sub-directory while trying to run upgrade.php ;)

Also update your.. (2, Informative)

blankoboy (719577) | more than 7 years ago | (#18215948)

To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.

Re:Also update your.. (1)

teslar (706653) | more than 7 years ago | (#18217240)

To stray on the side of caution, as we don't yet know the nature of the code that was changed [...] who knows what was done
Err. diff would tell you exactly what bits - and thus the nature - of the code that was changed. Also, TFA knows what was done:

They modified two files in WP to include code that would allow for remote PHP execution.

This is always a major concern for OSS projects (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18216412)

Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.

Re:This is always a major concern for OSS projects (0)

Anonymous Coward | more than 7 years ago | (#18217328)

Actually OSS makes things easier to compromise. Much easier to trawl through the code looking for known bad code or even slip in a patch that fixes something else. I wouldn't doubt that there are already agencies doing such work even with proprietary software. However, that assumes you have something worth knowing.

Suggestion:GPG! (1)

natmakarvitch (645080) | more than 7 years ago | (#18216716)

There is an efficient way to avoid such tempering, or at least to hope that those tricks will be quickly discovered by somebody: seal (sign) your published works, dammit!
  • have a well-signed and published (on the keyservers) GnuPG (GPG) key
  • do only transfer/store the private key on absolutely sure boxes, and only if it is strictly necessary
  • keep a backup of the private key in an ultra safe place
  • give a copy of the revocation certificate to a few very good friends
  • publish the public key on a good keyserver
Then sign every archive published, let the file be mirrored everywhere... and the hell with the polluters! For now most users will not verify the signature but at least a few of them will do, and with time a growing number will join.

What about Wordpress mu? (1)

edmicman (830206) | more than 7 years ago | (#18217312)

How does this affect Wordpress mu (multiuser)? http://mu.wordpress.org/ [wordpress.org]

Re:What about Wordpress mu? (0)

Anonymous Coward | more than 7 years ago | (#18217812)

Just to be on the safe side, I would follow the same procedure.

If you downloaded it in the last 3-4 days, assume it to be compromised.

Fortunately, you can use rewrite rules to wipe out any requests going to feed.php or theme.php. They are in the wp-includes directory, so no legitimate clients should be calling them.

Doesn't matter, WP can't handle heavy loads. (1)

liftphreaker (972707) | more than 7 years ago | (#18223462)

As an ex-wordpress user, this just points out one among the many changes and improvements they need to make. Security is important, but if the fundamental framework itself is weak, nothing else is going to matter too much. Wordpress is crippled in that it simply can't take a digg or heavy slashdot hit. Check out any wordpress site that's been dugg to front page, chances are 99% it's going to be dead in minutes.

Re:Doesn't matter, WP can't handle heavy loads. (1)

Trillan (597339) | more than 7 years ago | (#18250776)

I don't know if it could handle slashdot or a digg, but one of the major pushes recently has been SQL query optimization. It's made a big difference.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...