Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Blogs are vunerable?

[iknownuttin]

So, how's a huge problem? If anything, some blogs need to be hacked to have some decent content on them!

Re:Blogs are vunerable?

[speculatrix]

at my previous job there had been a programmer who used the same password for *everything*, and I do mean everything... from the mysql logins (both "root" and regular webapp), web site logins, shell accounts and the ssh passwords needed to move data around!

I discovered he had a blog site, and guess what, his standard password worked on that too, both to login as him and as admin. Whilst tempted, I neither added nor deleted anything on his site, but I *did* go occasionally go through his blog posts and correct his spelling and grammar! He must have noticed because after many months of occasionally tweaking his content, the login finally stopped working. Yes, I'm talking about you, "smurphy" :-)

self-updating

[dr_hooch]

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.

Time for web applications to grow up

[Bogtha]

I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.

The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.

I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

Re:Time for web applications to grow up

[laffer1]

Most applications that do update checks I've used only do so from the administration interface. e107 and jforum both check for updates. (php and java apps) Its possible to do the checks. However, downloading updates means the webapp has to have space to download files automatically. From a security perspective, it seems stupid to add this feature unless the webapp already needs writable space. The update feature could introduce an additional attack vector.

Securing LAMP

[packetmon]

Securing LAMP Mod Security Its so simple a fix with mod_security...

SecFilterSelective REQUEST_URI /admin.php chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

Time to upgrade again

[umrguy76]

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress

Wordpress

[wumpus188]

The problem with WP that it is a major pain in the ass to update, especially if you're running somewhat customized installation. Besides, most bloggers are not technical people and just use whatever version someone installed for them (or installed by their provider).

Re:How do you fix it?

[packetmon]

http://www.infiltrated.net/docs/modsecips.html step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.

Block Spam injections

Directory traversal attacks SecFilter "\.\./"

XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"

SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts

Re:Wordpress - a correction

[cweditor]

Just for the record, as far as I can tell, Wordpress 2.2 was not a security fix. It includes new features and addresses bugs, but I looked through the list of tickets closed in the release of 2.2 and did not see that any security issues were addresses by that newest version. 2.1.3 was a security fix, which users were advised to install promptly (and I did)

2.2 fixes bugs I never noticed and new features I didn't immediately need, so I can see why even good blog administrators might have waited to upgrade this one. I'm not sure BlogSecurity is correct to say 2.2 is the only secure version.

For people using Web hosts with control panels and doing installs and upgrades through a control panel like "Fantastico," the latest version they're offering is 2.1.3.

I agree that Wordpress is a bit of a pain to upgrade if you've done customization. I also like to manually back up my databases before I install a new version. The whole process takes about half an hour if I include the downloading, untarring, killing off files manually, and so forth.