Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress 2.1.1 Release Compromised by Cracker

Posted by Zonk on from the not-my-emo-comments-and-angsty-statements dept.

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

48 comments

  1. PHP and certificates by MichaelSmith · · Score: 1

    Makes me wonder if the PHP VM could do a hash of the application code and compare that with a certificate from the source of the application. I know that the injected code in this case would have been certified, but it would make it easier to identify sites which had not been upgraded.

    --
    http://michaelsmith.id.au
    1. Re:PHP and certificates by dexomn · · Score: 1

      That's so two hours ago.

    2. Re:PHP and certificates by Anonymous Coward · · Score: 0

      A simple PGP sig on the distributed .tar.gz would have been enough. Just like everyone else with clue does it.

    3. Re:PHP and certificates by Jessta · · Score: 1

      When should this hash check be done?
      on every page request?
      I can imagine that slowing requests down a bit.

      --
      ...and that is all I have to say about that.
      http://jessta.id.au
  2. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  3. Re:Made it easier for ... by Pyrex5000 · · Score: 1

    It's late at night. Nothing like a bottle of Mountain Dew and a flame war to keep the programmers awake. So, how about that PHP?

  4. Re:Made it easier for ... by DavidHOzAu · · Score: 1, Flamebait

    Oh please. Lay off the Zonk bashing. Read the summary and note that it was not written by Zonk.

    Don't like the stories? Then take a drink from the FireHose and mod up the contributions that interest you.

  5. Re:Made it easier for ... by GrumpySimon · · Score: 1

    Yes, my bad. I was moving stuff around & trying to make it coherent. I must have missed that. You may mock me mercilessly.

    --
    henry -- the human evolution news relay
  6. Key Details by Kelson · · Score: 5, Informative

    From the article, and from some comparisons I did on the downloads:

    • The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
    • Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
    • If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
    • 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it's worth updating anyway. (diff)

    I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

    1. Re:Key Details by djupedal · · Score: 2, Insightful

      '...confirming that the initial release was unaffected.'

      No, sorry.

      It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

      "If you downloaded 2.1.1 when it was first released, it's probably okay. "

      'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

    2. Re:Key Details by Kelson · · Score: 1

      It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

      Good point. In this case, the WP folks seem certain it was compromised within the last four days, but you're right, my data point doesn't confirm anything later than whatever time of day it was on Feb. 21.

      What I was trying to say was that what I've seen is at least consistent with the timeline that Matt presented. I guess I took the logic a bit too far.

      Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

      True. The effort to upgrade is a lot less than the risk of having missed something. For the record, I upgraded to 2.1.2 immediately, even after verifying my copy. I just felt a lot calmer about the process.

    3. Re:Key Details by slack_prad · · Score: 1

      Don't they use md5 hashes for integrity check?

      --
      Sent from my desktop computer
    4. Re:Key Details by kripkenstein · · Score: 1

      Given these details, this raises the (recurring) issue of where it is safe to get software from. I generally assume that I am fairly safe in using only stuff from my distro's repositories, rather than getting the bleeding-edge versions from individual sources. But I guess I am presuming that central repos are better-secured and more carefully monitored than separate ones - well, perhaps not necessarily on average, but at least from a worst-case perspective (lots of different sources means more chances for at least one mistake to occur).

    5. Re:Key Details by DrSkwid · · Score: 1

      md5 alone wouldn't be any use, it's been compromised for comparing the identity of two data blocks.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    6. Re:Key Details by maxume · · Score: 1

      Is a locked door that is less than indestructible useless?

      (That is, if the cracker that did this wasn't able to generate an attack on the md5, it would have mitigated the consequences(assuming somebody bothered to check))

      --
      Nerd rage is the funniest rage.
    7. Re:Key Details by Kelson · · Score: 1

      The "download archive" page (which lists every public release since WordPress branched from B2) provides MD5 hashes, but they're not linked or listed from the main download page for some reason. It's also not made clear on the page whether the MD5 hash is of the ZIP archive or the tar.gz archive.

      So while the hash is there, probably only 1% of downloaders would even see that it exists.

    8. Re:Key Details by quixote9 · · Score: 1

      Hey, thanks for some actual information!

  7. Re:Damn crazy crackahs. by User+956 · · Score: 4, Funny

    Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

    I thought the politically-correct term for "cracker" was "caucasian-american"?

    --
    The theory of relativity doesn't work right in Arkansas.
  8. Isn't that a job for the app? by SanityInAnarchy · · Score: 1

    Have a really simple index.php, which can then verify the source of the rest of the app (include files, etc)?

    But really, I don't think this accomplishes a hell of a lot. It wouldn't help you know which ones haven't been updated, for one thing...

    --
    Don't thank God, thank a doctor!
  9. Re:Damn crazy crackahs. by linvir · · Score: 0, Troll

    it's "hacker" now. Give up
    Fukken seconded.
  10. Zonk gets *paid*?! by Anonymous Coward · · Score: 0

    For what? Posting idiotic dupes, screeds of Australian non-stories, or links to adblogs such as Roland Piquep- oh, I get it...

  11. Re:Made it easier for ... by DavidHOzAu · · Score: 1

    No biggie. I think most of us can tell what word was meant to be in here.

  12. Cracker by Bo'Bob'O · · Score: 0, Redundant

    First time I read that headline, I wondered for a second why it was significant it was compromised by a white guy.

    1. Re:Cracker by ThomasHoward · · Score: 1

      Script kiddie would be a better term, regardless of technical knowledge, the person had the attitude of a script kiddie.
      I hope they catch the worthless sack of shit that did it, too bad that probably wont happen.

    2. Re:Cracker by undoIT · · Score: 1
      "I've been crackered!"

      Parse error: syntax error, unexpected $end in /home/myaccount/public_html/weirded/wp-admin/admin -functions.php on line 2327
      ...unless i just forgot my site is installed in a sub-directory while trying to run upgrade.php ;)
      --
      ThemeBot - Find and share web design templates
  13. Also update your.. by blankoboy · · Score: 2, Informative

    To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.

    1. Re:Also update your.. by teslar · · Score: 1

      To stray on the side of caution, as we don't yet know the nature of the code that was changed [...] who knows what was done
      Err. diff would tell you exactly what bits - and thus the nature - of the code that was changed. Also, TFA knows what was done:

      They modified two files in WP to include code that would allow for remote PHP execution.
    2. Re:Also update your.. by stonecypher · · Score: 1

      To "err" on the side of caution.

      --
      StoneCypher is Full of BS
  14. Re:Damn crazy crackahs. by PietjeJantje · · Score: 2, Funny

    What about this arrangement: let us all agree here to call hackers crackers from now on, and don't tell the media. This should fix things and create a clear divide again. Now excuse me while I'm off cracking some new code.

  15. Re:Damn crazy crackahs. by undoIT · · Score: 1

    ya know. if i was a smacka jacker cracka crack hacker, i'd be all up in the spam co's databases, emolating their servurz

    --
    ThemeBot - Find and share web design templates
  16. This is always a major concern for OSS projects by Anonymous Coward · · Score: 2, Insightful

    Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

    OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.

    1. Re:This is always a major concern for OSS projects by Anonymous Coward · · Score: 0

      Actually OSS makes things easier to compromise. Much easier to trawl through the code looking for known bad code or even slip in a patch that fixes something else. I wouldn't doubt that there are already agencies doing such work even with proprietary software. However, that assumes you have something worth knowing.

  17. NO by cortana · · Score: 1

    If it is a job for the app, then everyone will implement it themselves, and no one will do it right.

  18. Suggestion:GPG! by natmakarvitch · · Score: 1
    There is an efficient way to avoid such tempering, or at least to hope that those tricks will be quickly discovered by somebody: seal (sign) your published works, dammit!
    • have a well-signed and published (on the keyservers) GnuPG (GPG) key
    • do only transfer/store the private key on absolutely sure boxes, and only if it is strictly necessary
    • keep a backup of the private key in an ultra safe place
    • give a copy of the revocation certificate to a few very good friends
    • publish the public key on a good keyserver
    Then sign every archive published, let the file be mirrored everywhere... and the hell with the polluters! For now most users will not verify the signature but at least a few of them will do, and with time a growing number will join.
  19. What about Wordpress mu? by edmicman · · Score: 1

    How does this affect Wordpress mu (multiuser)? http://mu.wordpress.org/

    1. Re:What about Wordpress mu? by Anonymous Coward · · Score: 0

      Just to be on the safe side, I would follow the same procedure.

      If you downloaded it in the last 3-4 days, assume it to be compromised.

      Fortunately, you can use rewrite rules to wipe out any requests going to feed.php or theme.php. They are in the wp-includes directory, so no legitimate clients should be calling them.

  20. Re:Damn crazy crackahs. by Anonymous Coward · · Score: 0

    Seriously, it's "hacker" now

    Yeah, that's what crackers have been trying to convince us of all along.
    I would settle for 'wannabee' or 'kiddie' though, and recently I added 'spammer' to that list.
  21. Re:Damn crazy crackahs. by Anonymous Coward · · Score: 0

    It's not the first time media has hijacked a word. Very useful.

  22. Re:Made it easier for ... by Goaway · · Score: 1

    The reason one has editors, normally, is to catch such mistakes and fix them before the thing is published. Of course, Slashdot "editors" do not do any actual "editing".

    It makes Slashdot "more real", according to Taco!

  23. Re:Damn crazy crackahs. by linvir · · Score: 1, Insightful
    • Hacker
      A very, very naughty boy who does wicked, wicked things to other peoples' computers, and brags about it on websites with black backgrounds and green text. Used to mean programmer, but doesn't any more. The old meaning is still used by old programmers living in the past, and by new programmers wishing to associate themselves with both programmers and naughty boys simultaneously. Nobody who calls themselves a "hacker" or refers to their activities as "hacking" is worth any of your time or money, no matter whether their surname is "Stallman" or "Mitnick".
    • Cracker
      A word invented by programmers who liked calling themselves hackers, didn't want to lose the term to the naughty boys, and thought that if they just pulled a new word out of their arse, people would gladly learn it and use it. Finally took its last breath when black Americans began to use it as a counterpart to the derogatory word "nigger". Nobody (nobody) calls themselves a "cracker" or refers to their activities as "cracking".
  24. Re:Damn crazy crackahs. by maggard · · Score: 1

    Clever except that "hacking" predates software coding as a trade and calling certain folks "Crackers" predates both.

    Nicely formatted tho'.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  25. So what? by SanityInAnarchy · · Score: 1

    That will happen anyway.

    If you put it in the app, there's at least a chance it'll be done right by some library that everyone ends up using. If you put it in the interpreter, the interpreter gets crufty for everyone, including people who don't care about source code signing, and people who might have a legitimate reason for implementing it a little differently.

    Or, let me make this very simple: If we were talking about C, would you be in favor of including it in the operating system? Or the C compiler?

    --
    Don't thank God, thank a doctor!
    1. Re:So what? by cortana · · Score: 1

      As a library that apps can use to verify files, sure. Oh wait! That is gnutls/openssl!

  26. Re:Damn crazy crackahs. by metlin · · Score: 1

    You forgot "virgin". =)

  27. Doesn't matter, WP can't handle heavy loads. by liftphreaker · · Score: 1

    As an ex-wordpress user, this just points out one among the many changes and improvements they need to make. Security is important, but if the fundamental framework itself is weak, nothing else is going to matter too much. Wordpress is crippled in that it simply can't take a digg or heavy slashdot hit. Check out any wordpress site that's been dugg to front page, chances are 99% it's going to be dead in minutes.

    1. Re:Doesn't matter, WP can't handle heavy loads. by Trillan · · Score: 1

      I don't know if it could handle slashdot or a digg, but one of the major pushes recently has been SQL query optimization. It's made a big difference.