Slashdot Mirror
Wordpress.org Warns of Active Worm Hacking Blogs
Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."
There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"
-:sigma.SB
WARN
THERE IS ANOTHER SYSTEM
a real and maintained multisite wordpress will be more than welcomed for hosting companies, so an easy upgrade can be achieved.
Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?
Worm-hacking blogs! Wordpress must be stopped!
If wordpress.org is hacked, again, their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.
From TFA: "This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
So let me get this straight. If I have a blog that doesn't allow other people to register, say for example, one just for my personal note-taking use. Then I'm in the clear? Sweet. Guess I don't need that Snake Oil after all....
"When I am king, you will be first against the wall..."
http://wordpress.org/download/
When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:
http://wordpress.org/support/topic/230558
What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.
Now even my own blog says that I need to enlarge my Penis!
Scobilizer has been tweeting about the same problem this afternoon.
I'll see your Constitution and raise you a Queen.
The reason most siteowners are slow or never update is because it's a huge pain in the butt.
This applies to almost all CMS's, forums, and similar software.
While a one-click solution sounds nice, the real problem is that almost any large board has a number of plug-ins and modifications to get it where it needs to be.
Once those mods/plugins are installed, the one-click updates no longer work.
SEO URL's?
Custom themes?
Anti-bot measures?
All of these things can completely render an "easy update" useless.
The people who write this software need to find a way to keep the core code separated from plugins for updates.
It would be a lot to ask to have you actually read the linked articles before commenting (or modding something as *insightful*): The linked article says that the exploit checks for capabilities, not version number.
I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.
Thanks for posting. I finally upgraded from version 2.3 to 2.8.4 for my blogs.
Their software may be shit, but they do have basic features like tag-specific feeds.
The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.
He who has no
They release updates more frequently than I post stories on my blog. Indeed, 2.8.4 was released just a week after 2.8.3. Can't wait to see what next week brings!
That's a good information. Most of the serious bloggers keep updated their wordpress versions. The users also have option to update their blog by just one click. If you have not done so, please do it right now.
Yes, but that assumes you regularly visit your admin panel.
Whenever you login as an admin to post, or do something else, that is your default landing spot.
If you choose not to do anything, because some precious widget might break, or you have a hair appointment in 20 minutes, and continue doing so through numerous point releases, you get what you paid for eh?
Or as Duncan Chalk said:
"Pain is instructive"
Some days it's just not worth
chewing through my restraints.
This post, and the linked article, are useless. They don't say anything :
- if and which one of the previous non 2.8.x series is vulnerable
- how to detect the attack.
It's just whining "upgrade upgrade". Boys, thank you for your kickass blog engine. I'm using it since you were nobody, but damn, you produce vulnerabilities over vulnerabilities and you hope that we have the time to follow and upgrade constantly because you screw up? Give us a stable release, and don't ask my 2.7.1 blog to be upgraded to 2.8. I won't do it. Period. It's too much trouble, too much risk, and too much wasted time to merge personalized changes or if plugins are not compatible. Maintain and backport the fixes to previous branches.
Yes, I donated, so I have bragging rights.
The OP wasn't talking about people who log into the admin panel and don't upgrade even though they're told they need to - he was talking about people who don't "regularly visit [their] admin panel" in the first people. At that point, punctuality isn't the problem - keeping informed is.
I understand that contributors/authors who haven't any access to the administrative features won't be able to see the version (but that also assumes they wouldn't be in a position to upgrade either). But really, what's the point of using WordPress if you're not going to use the admin panel? It shows a wonderful overview of comments, spam, drafts, and so forth. I would assume that the idea of never visiting the dashboard enough to notice new versions might be applicable to those use cases of individuals who make a post once every 2 months.
He who has no
You see the admin panel when you log in.
The admin panel shows you when an update is available.
Therefore, you may be up to a half a month behind on update notifications delivered through the admin panel.
A half a month doesn't sound like a big deal but look at the most recent releases:
They really need an e-mail distribution list for those not already monitoring the development blog via RSS or security blogs, because 10 days is a reasonable amount of time for someone to not log into their blog. It has nothing to do with whether you use the admin panel or not, and everything to do with the critical "fix for a fix" that comes barely two weeks later.
But really, what's the point of using WordPress if you're not going to use the admin panel? It shows a wonderful overview of comments, spam, drafts, and so forth. I would assume that the idea of never visiting the dashboard enough to notice new versions might be applicable to those use cases of individuals who make a post once every 2 months.
But to be honest I think that's a reasonable use case. It's the kind of use I make of Wordpress. I view my site as more of a homepage than a blog - I use Pages much more than Posts and make changes only rarely. As a result it'll often be several weeks between my visits to the admin page.
It's a shame; for people like me the notification mailing list would be perfect but for some reason the Wordpress folks don't make use of it. It's odd that they still encourage people to join it as it can give you a false sense of security.
... how about he makes a passionate plea to the PROGRAMMERS to say 'Guys, let's STOP PUTTING SECURITY HOLES IN OUR SOFTWARE?'
Just a thought.
It shouldn't be any user's problem to need to 'upgrade or get hacked'. If you're writing web software that's hackable, you're the one doing it wrong., not your users.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
If they're going to introduce a new vulnerability every ten days, what they need to do isn't to start using an e-mail distribution list - what they need to do is die.
Does anybody have any technical details about this worm ?
Some people can't upgrade immediately and it would be nice to be able to block the request strings (or user-agent, IP address, whetever) that the worm uses.
I have looked around the various blogs reporting this and on full-disclosure lists but I can't find any better advice than "Upgrade. Now."
Sig matters not. Judge me by my sig, do you?
Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently.
If only Matt stopped breaking backwards compatibility, I would be up to date constantly. In the last few years I've seen several things breaking as matty decided to rename hooks and stuff. Therefore, all important functions of my sites must be checked before actually upgrading...
.sig: No such file or directory