wordpressguru.eu » security

Do you use PHP $_SERVER variables in forms?

Owen — Thu, 24 Sep 2009 21:57:31 +0000

I came across an interesting point that outlines that dangers of using $_SERVER variables to submit form, a practice that’s pretty common in WordPress plugins. The problem is that it opens the form up to be used for cross-site scripting (XSS) exploits. The post even has a couple of examples demonstrating how the exploits could be put together; examples that you can use to test your own code.

It’s important to know about these exploits and how they work. Ignoring them when writing code is a bit like putting cardboard displays in front of a crumbling building. It may look pretty from the outside, but you’re building something that is putting other people at risk.

So, read the post here.

If your WordPress up to date?

Owen — Thu, 10 Sep 2009 21:13:04 +0000

Is your WordPress installation up to date? If it’s not, you’ll get a constant warning message on every page telling you that you need to upgrade. And upgrading is really easy on the later versions too. There’s no messing around with uploads, WordPress does it all for you. So there’s really no excuse for not being up to date, it’s easier than applying the best best eye cream you can buy.

So, what’s the reason I’m making this point? Well a few days ago a worm was making the rounds and affecting a number of WordPress installations that hadn’t been upgraded to the latest version. There’s a great post about security down on the WordPress blog. Have a good read and make sure your blogs are all up to date.

WordPress v2.8.4

Owen — Sat, 15 Aug 2009 23:13:29 +0000

Hot on the heels of the latest version of WordPress comes a new version with another security hole fixed. This wasn’t a major one, just an annoyance that lets a malicious user keep reseting a particular user’s password. It wouldn’t let them get into the blog, but it could be used to keep harassing a user (Now if someone chases you to sell low cost term life insurance and they have a WordPress blog, you know how to annoy them).

Anyway, the new release blocks the whole and helps WordPress be a little bit more secure than before, so go ahead and download it.

Authentication in WordPress 2.8

Owen — Sat, 14 Mar 2009 23:53:28 +0000

Just came across an interesting post called Authentication in WordPress 2.8. It talks about the implementation of OAuth in WordPress and it’s impact on users and plugin authors. The great thing about OAuth is that it would let applications and other websites authenticate against your blog and withdraw information without needing your password. So, if you had a WordPress blog about travel insurance online, you could share the information on it with another website trying to repurpose that information.

Looks like WordPress will have some interesting changes. However, the last part of the post indicates that it won’t manage to make 2.8, partly because the OAuth libraries are in a state of flux and partly because of the impact it will have on the core.

Help, my WordPress blog is giving a virus warning!

Owen — Wed, 17 Dec 2008 14:58:39 +0000

I got called in to resolve an issue on a WordPress blog today. On the surface it looked as if the administration side of the site had broken, but the real cause turned out to be much darker than that.

Looking at the source of the page, I could see that lines were being inserted on all pages that tried to open an iFrame onto a website that used a browser exploit to try and install a virus on your computer. If my browser wasn’t patched and I wasn’t using a virus scanner, it could have been a ton of work for me to clean up. The question was, where was that iFrame coming from?

Turns out that a couple (4 actually) of WordPress files had got compromised and had extra lines added to them to open this iFrame. The files were:

wp-feed.php
wp-blog-header.php
wp-config.php
wp-load.php

This was the extra line:

These files are used in every WordPress page load and were the cause of the extra iFrame. The big question was how the files got compromised in the first place. They were set to the correct permissions, so could only have been changed by someone (or a script) with root access to the server. Unforuntately this is not something you can protect against. Almost make sure your blog is living on a reliable host and remember, “It’s wilder than Las Vegas out there”

WordPress 2.6.1 Exploit: Upgrade to avoid hack

Owen — Mon, 22 Sep 2008 14:48:09 +0000

I was reading around today after cleaning up a website that got hacked when I saw an example of a vulnerability that exists in WordPress 2.6.1 The security hole is this:

Imagine a blog site using wordpress 2.6.1 and its web address is www.hackme.com , when you type in your address bar http://www.hackme.com/wp-login.php?action=register the new user registration page comes up !

After that we type our user name as “admin x” (make sure there are 52 space characters between “x” and “admin”. So after that type your e-mail address to the next textbox and click register. By doing this we are cloning the “admin” user name. Your password will come to your e-mail address shortly. You will not able to login with this information directly, So open the same page again and click “forgot password”, type in your own e-mail address and your will receive the link to reset the admin password. Once you click the reset link, the new password will be generated and will be sent to the real owner of the website.

Now, although people can’t log in with that password, it can prove to be very annoying and can even be used to implement a denial-of-service attack, but continually changing the admin’s password. How can you address the issue. Either upgrade to WordPress 2.6.2 or disable user registrations.