LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Attacks against WordPress installations

By Jake Edge
September 9, 2009

The WordPress content management system (CMS) has been in the news lately—for reasons the project and its users would probably rather not see—as there have been a rash of attacks against older versions of WordPress. At least one high-profile blogger, Robert Scoble, succumbed to the attack, posting that he no longer felt safe with WordPress. Various others also piled on, but the problem that was being exploited had been fixed in early August; the affected sites just hadn't upgraded.

Keeping up with security updates can be time-consuming, especially for relatively non-technical users who are hosting a CMS site simply to provide themselves a place to blog. One could easily argue that those kinds of users would be best served by using one of the free services available for such things. But, those services tend to have fewer features—often to encourage upgrading to a subscription-based support plan—leaving bloggers who want the latest shiny features to host WordPress (or other similar CMS programs) themselves.

At least for WordPress, many of those shiny features come as plugins to the CMS engine. When security updates are made, changes required for the plugins may very well lag behind. Even if the upgrade wouldn't affect the plugins at all, concerns over that happening led various folks, including Scoble, to wait a while before upgrading:

I wanted to run my own blog. Mostly so I could use various plugins and play around. I didn't realize that Wordpress had major holes in it. I figured that since it was several years old that the nasties had been found and removed and that it wasn't so brittle. Turns out my assumptions were wrong. I was also overly scared of upgrades, because of how software works.

In the comments on Scoble's blog posting (where the above quote comes from), as well as in a conversation on his FriendFeed, it is clear that numerous other folks have run into similar problems with attacks as well as issues with upgrades. WordPress developer Matt Mullenweg has numerous comments on Scoble's complaints, and his suggestions are fairly obvious: update immediately when there are outstanding security patches and, if that's not possible, consider moving to a managed provider (possibly WordPress.com, the commercial side of WordPress development).

Mullenweg's advice is good, but it would also seem that the WordPress project could be doing more to highlight security issues. The project home page lacks obvious links for security information—though it currently has a link to Mullenweg's How to Keep WordPress Secure posting—and searching for "security" on the site does not bring up any centralized location for that kind of information. It is probably just an oversight, but even the "Security" category on the WordPress blog does not contain the 2.8.3 announcement, which is the release that fixes the problem being exploited.

For a new, or casual, WordPress user, it would certainly seem possible that they might miss these security announcements. The WordPress software will alert the user that there are updates available—and there is an email list for new release notification—but there numerous ways to add content to a WordPress blog without logging into the administrative interface, so the alerts may be missed. It's clear that Mullenweg takes security seriously based on his comments, but that message may not be getting out to the WordPress faithful.

The actual bug that is being exploited is a run-of-the-mill privilege escalation flaw. While the bug itself may be pedestrian, the consequences are not, as Scoble and others found. Scoble's situation was exacerbated by not having any backups (!), but the bigger problem is how to get the system back to a "safe" state after it has been exploited. Depending on how WordPress was installed, the only safe way to restore a cracked system may be to reinstall the entire operating system. These kinds of attacks can leave various back doors behind that stay active even after WordPress itself has been upgraded.

The point is not to pick on WordPress, or even CMS programs in general, but to note a general problem. There is a tension between the fear of upgrading and the fear of an attack, and many users fear the former much more than the latter. WordPress has made great strides in simplifying the upgrade process, but it still has the potential to break things—especially in plugins that are completely outside of the project's control. As it turns out, the privilege escalation vulnerability was related to how certain plugins' administration pages were handled.

Web application security is hard. It is harder still when trying to create a general purpose web application platform, particularly one that allows plugins to fairly arbitrarily change its behavior. This is certainly not the last attack against WordPress or CMS programs that we will see. It is definitely in the best interest of these projects and their users to pay close attention to security issues as they arise.

Comments (12 posted)

Brief items

WordPress Blog: How to Keep WordPress Secure

Here's an entry on the WordPress Blog on keeping installations secure - a topic WordPress administrators should be especially concerned about at the moment. "Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

Comments (2 posted)

Deep packet inspection engine goes open source (ars technica)

Ars technica looks at a free software release of deep packet inspection (DPI) code from ipoque. At least part of the motivation for releasing the code is to allay fears that ipoque's DPI hardware is digging into the actual content, rather than the packet formats and timing, of encrypted traffic, but this release may not succeed in doing that: "The OpenDPI engine, released under the LGPL license, differs from ipoque's commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn't reveal ipoque's methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions."

Comments (24 posted)

Security reports

Enterprise Linux 5.3 to 5.4 risk report

Red Hat's director of security response, Mark J. Cox, has released another of his risk reports, this one looking at the security updates between RHEL 5.3 and 5.4. He notes that of the nine vulnerabilities of "critical" severity in that time, seven were for Firefox. It is interesting to note that the three NULL pointer vulnerabilities for the kernel were not rated as critical as they were not remotely exploitable. He also points out that three flaws which would have required critical updates, instead required no update—or in one case a low severity update for a denial of service—due to various mitigations (FORTIFY_SOURCE and hardened malloc/free) present in RHEL.

Comments (20 posted)

New vulnerabilities

cmus: temporary file vulnerability

Package(s):cmus CVE #(s):CVE-2008-5375
Created:September 9, 2009 Updated:September 9, 2009
Description: The cmus (C* Music) player suffers from a temporary file vulnerability; 2.2.0-r1 contains the fix.
Alerts:
Gentoo 200909-08 2009-09-09

Comments (none posted)

cyrus-imapd: buffer overflow

Package(s):cyrus-imapd CVE #(s):CVE-2009-2632
Created:September 8, 2009 Updated:October 24, 2011
Description: From the Debian advisory: It was discovered that the SIEVE component of cyrus-imapd, a highly scalable enterprise mail system, is vulnerable to a buffer overflow when processing SIEVE scripts. Due to incorrect use of the sizeof() operator an attacker is able to pass a negative length to snprintf() calls resulting in large positive values due to integer conversion. This causes a buffer overflow which can be used to elevate privileges to the cyrus system user. An attacker who is able to install SIEVE scripts executed by the server is therefore able to read and modify arbitrary email messages on the system.
Alerts:
Gentoo 201110-16 2011-10-22
Mandriva MDVSA-2009:229-1 2009-12-05
Ubuntu USN-838-1 2009-09-28
CentOS CESA-2009:1459 2009-09-25
Debian DSA-1893-1 2009-09-23
Debian DSA-1892-1 2009-09-23
Red Hat RHSA-2009:1459-04 2009-09-23
Mandriva MDVSA-2009:242-1 2009-09-22
Mandriva MDVSA-2009:242 2009-09-22
Fedora FEDORA-2009-9559 2009-09-15
CentOS CESA-2009:1459 2009-10-30
Mandriva MDVSA-2009:229 2009-09-11
Fedora FEDORA-2009-9417 2009-09-09
Fedora FEDORA-2009-9428 2009-09-09
Debian DSA-1881-1 2009-09-07
SuSE SUSE-SR:2009:016 2009-10-13

Comments (none posted)

devscripts: missing input sanitation

Package(s):devscripts CVE #(s):CVE-2009-2946
Created:September 3, 2009 Updated:October 9, 2009
Description: From the Debian alert: Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible.
Alerts:
Debian DSA-1878-2 2009-09-11
Debian DSA-1878-1 2009-09-02
Ubuntu USN-847-2 2009-10-09
Ubuntu USN-847-1 2009-10-08

Comments (none posted)

gccxml: temporary file vulnerability

Package(s):gccxml CVE #(s):CVE-2008-4957
Created:September 9, 2009 Updated:September 9, 2009
Description: The GCC-XML utility suffers from a temporary file vulnerability.
Alerts:
Gentoo 200909-11 2009-09-09

Comments (none posted)

lmbench: temporary file vulnerability

Package(s):lmbench CVE #(s):CVE-2008-4968
Created:September 9, 2009 Updated:September 9, 2009
Description: The lmbench utility contains multiple temporary file vulnerabilities. There does not appear to be a fix available; Gentoo has responded by removing lmbench from its repository entirely.
Alerts:
Gentoo 200909-10 2009-09-09

Comments (none posted)

openoffice.org: integer underflow, boundary error

Package(s):openoffice.org CVE #(s):CVE-2009-0200 CVE-2009-0201
Created:September 4, 2009 Updated:May 24, 2010
Description: From the Red Hat advisory: An integer underflow flaw and a boundary error flaw, both possibly leading to a heap-based buffer overflow, were found in the way OpenOffice.org parses certain records in Microsoft Word documents. An attacker could create a specially-crafted Microsoft Word document, which once opened by an unsuspecting user, could cause OpenOffice.org to crash or, potentially, execute arbitrary code with the permissions of the user running OpenOffice.org.
Alerts:
Mandriva MDVSA-2010:105 2010-05-21
Mandriva MDVSA-2010:091 2010-05-04
Mandriva MDVSA-2010:056 2010-03-05
Mandriva MDVSA-2010:035 2010-02-11
Ubuntu USN-840-1 2009-10-01
SuSE SUSE-SR:2009:015 2009-09-15
CentOS CESA-2009:1426 2009-09-05
CentOS CESA-2009:1426 2009-09-04
Fedora FEDORA-2009-9256 2009-09-04
Red Hat RHSA-2009:1426-01 2009-09-04

Comments (none posted)

pam: authentication bypass

Package(s):pam CVE #(s):
Created:September 9, 2009 Updated:September 9, 2009
Description: From the Ubuntu advisory: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges.
Alerts:
Ubuntu USN-828-1 2009-09-08

Comments (none posted)

qt: man-in-the-middle attack

Package(s):qt CVE #(s):CVE-2009-2700
Created:September 3, 2009 Updated:February 3, 2010
Description: From the National Vulnerability Database entry: "src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408."
Alerts:
Debian DSA-1988-1 2010-02-02
SuSE SUSE-SR:2009:019 2009-11-24
Ubuntu USN-829-1 2009-09-10
Fedora FEDORA-2009-9232 2009-09-03
Mandriva MDVSA-2009:225 2009-09-08
Fedora FEDORA-2009-9231 2009-09-03

Comments (none posted)

screenie: temporary file vulnerability

Package(s):screenie CVE #(s):CVE-2008-5371
Created:September 9, 2009 Updated:September 9, 2009
Description: Versions of screenie prior to 1.30.0-r1 contain a temporary file vulnerability.
Alerts:
Gentoo 200909-09 2009-09-09

Comments (none posted)

silc: several vulnerabilities

Package(s):silc-client/silc-toolkit CVE #(s):CVE-2008-7159 CVE-2008-7160 CVE-2009-3051
Created:September 4, 2009 Updated:June 1, 2010
Description: From the Debian advisory:

An incorrect format string in sscanf() used in the ASN1 encoder to scan an OID value could overwrite a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. On 64-bit architectures this could result in unexpected application behaviour or even code execution in some cases (CVE-2008-7159).

Various format string vulnerabilities when handling parsed SILC messages allow an attacker to execute arbitrary code with the rights of the victim running the SILC client via crafted nick names or channel names containing format strings (CVE-2009-3051).

An incorrect format string in a sscanf() call used in the HTTP server component of silcd could result in overwriting a neighbouring variable on the stack as the destination data type is smaller than the source type on 64-bit. An attacker could exploit this by using crafted Content-Length header values resulting in unexpected application behaviour or even code execution in some cases (CVE-2008-7160).

Alerts:
Gentoo 201006-07 2010-06-01
Mandriva MDVSA-2009:234-2 2009-12-05
Mandriva MDVSA-2009:235 2009-09-15
Mandriva MDVSA-2009:234-1 2009-09-15
Mandriva MDVSA-2009:234 2009-09-15
Fedora FEDORA-2009-9342 2009-09-06
Fedora FEDORA-2009-9356 2009-09-06
Debian DSA-1879-1 2009-09-04
SuSE SUSE-SR:2009:016 2009-10-13

Comments (none posted)

tkman: symbolic link vulnerability

Package(s):tkman CVE #(s):CVE-2008-5137
Created:September 9, 2009 Updated:September 9, 2009
Description: Versions of tkman prior to 2.2-r1 suffer from a symbolic link vulnerability.
Alerts:
Gentoo 200909-07 2009-09-09

Comments (none posted)

xemacs: multiple buffer overflows

Package(s):xemacs CVE #(s):CVE-2009-2688
Created:September 4, 2009 Updated:June 3, 2010
Description: From the Fedora advisory: This update fixes multiple buffer overflows when reading large image files, or maliciously created image files whose headers misrepresent the actual image size.
Alerts:
Gentoo 201006-15 2010-06-03
Fedora FEDORA-2009-8993 2009-08-25
Fedora FEDORA-2009-8997 2009-08-25

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds