New Zero Day Disclosed In WordPress Core Engine

← Back to Stories (view on slashdot.org)

New Zero Day Disclosed In WordPress Core Engine

Posted by Soulskill on Monday April 27, 2015 @05:16PM from the pressing-words-is-risky-business dept.

Trailrunner7 writes: WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver. Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

"An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings," Pynnonen said. "A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won't appear on the page until it has been approved by an admin/moderator. Under default settings, after one 'harmless' comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts."

89 comments

Min score:

Reason:

Sort:

Zero day? IN WORD PRESS? IMPOSSIBLE by ArylAkamov · 2015-04-27 17:41 · Score: 1

Zero-day exploit? In word press? What a surprise. I totally didn't see that one coming.
1. Re:Zero day? IN WORD PRESS? IMPOSSIBLE by Anonymous Coward · 2015-04-27 23:31 · Score: 0
  
  if slashdot posted an article every time a zero-day was found in wordpress, there would be so many submissions and published articles, even the readers wouldn't be able to tell a new one from a dupe.
2. Re:Zero day? IN WORD PRESS? IMPOSSIBLE by Anonymous Coward · 2015-04-28 00:15 · Score: 0
  
  This is quite shocking, Word Press has a code base that is more secure than most 1960s era mainframes!!!
3. Re:Zero day? IN WORD PRESS? IMPOSSIBLE by Anonymous Coward · 2015-04-28 03:11 · Score: 0
  
  WordPress doesn't have an exploit, WordPress is an exploit. It will never touch any server that I manage. It's suffered from so many ridiculous vulnerabilities it makes you wonder how many USGOV people are contributing.
4. Re:Zero day? IN WORD PRESS? IMPOSSIBLE by Anonymous Coward · 2015-04-28 05:00 · Score: 1
  
  Fortunately, many 1960s era mainframes had (and still have) BOFHs guarding them.
Victim of liberal error handling by diamondmagic · 2015-04-27 17:41 · Score: 4, Insightful

I know it's fun and all to make fun of WordPress, and it is indeed a piece of garbage for multiple reasons. But this seems more a fault of highly liberal error handling on the part of Web browsers and MySQL.
From what I understand, MySQL truncated the input passed in without throwing any complaints that data was being lost.
Second, if the HTML pages were served under the more secure application/xhtml+xml media type, the compromised page wouldn't have been usable, because the malformed syntax would have produced a fatal error, instead of silently corrected (this is specified in HTML5, which IE supports now, woo).
I've seen more security vulnerabilities with text/html's silent fixing of errors than I can count, including a notable XSS attack because someone thought you don't need to HTML-encode URIs in hyperlinks... but this leads to funny behavior even with valid URIs like <http://example.com/doSomething?run©destination=baz> (if parsed as HTML, a copyright sign magically appears instead of the URL parameter you were intending).

--
Wonder what the public key field is for?
1. Re:Victim of liberal error handling by suy · 2015-04-27 21:19 · Score: 1
  
  Second, if the HTML pages were served under the more secure application/xhtml+xml media type, the compromised page wouldn't have been usable, because the malformed syntax would have produced a fatal error, instead of silently corrected (this is specified in HTML5, which IE supports now, woo).
  I think this speaks clearly of how bad was the decision of creating HTML 5, and not making future web documents an XML application only. With XML, the rules clearly state that a document has to be well formed in order to be interpreted by the XML parser (then it can be invalid according to the XML application, say XHTML). But no, they kept the incredibly stupid tradition of making browsers try to recover according to unspecified ways. I wonder how many workarounds are in the parsers of todays web browsers that swallow utterly broken contents that IE6 displayed properly at that time. Workarounds and complicated code paths that will probably stick for a really long time, since old content will not be fixed ever. And complex code paths that will continue to produce security holes from time to time.
2. Re:Victim of liberal error handling by parenthephobia · 2015-04-27 21:47 · Score: 5, Interesting
  
  From what I understand, MySQL truncated the input passed in without throwing any complaints that data was being lost.
  That is MySQL's default behaviour. It can be put in strict mode, where truncated fields aren't silently ignored (and various other validity and sanity checks aren't bypassed). Ideally, this would be MySQL's default mode, but WordPress doesn't work in strict mode.
  So, I do not think it is as simple as saying it is MySQL's fault. WordPress is complicit in its failure.
3. Re:Victim of liberal error handling by Jesus_666 · 2015-04-27 21:50 · Score: 1
  
  If I remember correctly they actually specified the error handling in the HTML 5 spec. XHTML, for its part, didn't really take off, so chances are that much of the web would still be using HTML 4 if the W3C still insisted on XHTML. HTML 4 wasn't exactly a paragon of security, either.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
4. Re:Victim of liberal error handling by diamondmagic · 2015-04-28 09:14 · Score: 1
  
  It did take off; many people wrote XHTML documents, and it's default in e.g. Drupal. The problem was IE didn't support application/xhtml+xml until recently, which is exactly what gave XHTML all its functionality.
  
  --
  Wonder what the public key field is for?
5. Re:Victim of liberal error handling by Anonymous Coward · 2015-04-28 10:20 · Score: 0
  
  I thought he was blaming liberals. (In baltimore)
Already patched by gaspyy · 2015-04-27 17:46 · Score: 2

The vulnerability was already patched, just hours after being disclosed. WordPress 4.x applies security updates automatically.
For better or worse, WordPress is the most popular CMS and this makes it a prime target. Just like Windows.
1. Re:Already patched by Anonymous Coward · 2015-04-27 18:28 · Score: 5, Insightful
  
  Also like windows sloppy coding gives a much wider userbase to exploit as well. Take a long hard look at the code behind Wordpress then get back to us, we'll wait. I'd tell you to do the same for Windows but I suspect you won't be able to pull that one off as easily. Like Windows, Wordpress has pissed off all the good devs and all that's left are the ones that do 'shiny'.
2. Re:Already patched by Aethedor · 2015-04-27 18:52 · Score: 1
  
  So, that left your website vulnerable for a few hours... again!
  And being a prime target wouldn't be a problem if it had proper security...
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
3. Re:Already patched by radio4fan · 2015-04-27 19:07 · Score: 1
  
  Like Windows, Wordpress has pissed off all the good devs and all that's left are the ones that do 'shiny'.
  ... And all the devs whose clients insist on WordPress (and PHP for that matter), like me.
4. Re:Already patched by thegarbz · 2015-04-27 21:03 · Score: 1
  
  And being a prime target wouldn't be a problem if it had proper security...
  Oh how naive.
5. Re:Already patched by _merlin · 2015-04-27 21:14 · Score: 2
  
  It only applies security updates automatically if the user the PHP scripts run as has write access to the WordPress directory. I never allow that. I'd rather have the security of knowing a WordPress exploit can't modify the WordPress installation than the convenience of updates through the web UI.
  This latest exploit also depends on a logged in administrator viewing the malicious comments to do the really nasty stuff. This is another very good reason to only ever log in as an administrator when you absolutely must. Use a non-admin user for writing content and moderating comments.
6. Re:Already patched by udippel · 2015-04-27 21:28 · Score: 1
  
  And being a prime target wouldn't be a problem if it had proper security...
  Oh how naive.
  Will you please enlighten the unwashed masses (me), how a system with proper security would not pose a problem like the one underlying this topic?
  (And please, without resorting to 'shiny', 'easy', 'simple', 'extensible'. I am honestly only interested in security.)
7. Re:Already patched by Anonymous Coward · 2015-04-27 22:55 · Score: 0
  
  My 4.1 version was still unpatched by the time I read this submission. The 4.2 version however updated automatically to 4.2.1.
8. Re:Already patched by turbidostato · 2015-04-27 23:41 · Score: 1
  
  "And please, without resorting to 'shiny', 'easy', 'simple', 'extensible'. I am honestly only interested in security."
  No, you aren't.
  Because if you really were only interested in security, you would just turn off your computer and done with it. No, you are not *only* interested in security, and there is where those 'shiny', 'easy', 'simple', 'extensible' concepts go into the equation. Security means balance.
9. Re: Already patched by Anonymous Coward · 2015-04-27 23:49 · Score: 0
  
  It wouldn't have WordPress installed that's for sure.
10. Re:Already patched by Aethedor · 2015-04-28 00:00 · Score: 1
  
  The issue described in this topic (cross-site scripting) is very old (about 15 years in this case). But so is its solution. The same goes for all other security issues. There is no reason and therefor no excuse to have such or any other known vulnerability in your website today. Specially because the solutions are very easy. Security is no rocket science!
  The majority of all hack attempts are for SQL injection, cross-site scripting, cross-site request forgery, remote file inclusion, directory traversal, etc. You can look them up, there are even many websites dedicated to them (owasp.org for example). There is, I say it again, no excuse to not know about these vulnerabilities and to have one of them in your website.
  The only web developers who still have such security bugs in their software are 1) lazy 2) incompetent 3) not interested in security or 4) have been asleep for 15 years. For whatever the reason is, it's not wise to use their software!/p.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
11. Re:Already patched by goarilla · 2015-04-28 04:36 · Score: 1
  
  The only web developers who still have such security bugs in their software are 1) lazy 2) incompetent 3) not interested in security or 4) have been asleep for 15 years. For whatever the reason is, it's not wise to use their software!/p.
  
  That's like 90% of all developers :D.
12. Re:Already patched by thegarbz · 2015-04-28 20:53 · Score: 1
  
  Hardly. You weren't interested in security at all. You were talking about being a prime target and being a prime target is something that comes from popularity and the potential for a single exploit to affect the largest number of people in one go.
  If you had a theoretically perfectly secure piece of software that every single person in the world uses in the same way you will still be no less of a prime target with hackers queueing up long lines to try and break something. Kind of like how people will still target the heads of state of countries despite them being amongst the most well protected.
wait, what? by Anonymous Coward · 2015-04-27 17:49 · Score: 1

Server side code execution?
I'm sure they mean client side, since I doubt word press is parsing and executing JavaScript on the server.
1. Re:wait, what? by darkain · 2015-04-27 18:16 · Score: 5, Informative
  
  Re-read the summary. It is a little more complex than you may realize.
  Attacker inserts malicious JS code into a comment box.
  JS code is viewed and thus executed by site's administrator.
  JS code was specifically crafted to modify/edit PHP files on the server - a common function of WordPress, allowing the live editing of templates and plugins.
  JS code then requests the newly modified PHP files from the server.
2. Re:wait, what? by Anonymous Coward · 2015-04-27 18:19 · Score: 0
  
  Server side code execution?
  I'm sure they mean client side, since I doubt word press is parsing and executing JavaScript on the server.
  The attack uses javascript in the browser to make use of the Administrator's logged in credentials and execute changes to the site, installing a backdoor. The video shows this pretty well.
3. Re: wait, what? by ironicsky · 2015-04-27 23:34 · Score: 3, Insightful
  
  And all this can be prevented if administrators simply adding one line to their wp-config.php
  define('DISALLOW_FILE_EDIT', true);
  Wordpress provides a large amount of hardening functions like this, others allow the overriding of default file permissions of uploaded documents to 644 instead of 755 to prevent execution of uploaded scripts.
  Developers need to educate themselves on the software they are provides to beat learn how to administrate it.
4. Re: wait, what? by Anonymous Coward · 2015-04-28 01:10 · Score: 3, Informative
  
  Prevent execution of uploaded scripts? PHP scripts do not need execute permissions in order to run them. Other scripts can generally be executed as arguments to shell programs, such as "/bin/sh $FILEPATH", if you want to execute those programs in the context of the server rather than simply provided crafted code to a client.
  Your reference to that define is also silly. That's an application-level setting setting a value that the core engine uses to determine permissions. Once someone is allowed to execute any PHP code through the application (which is exactly what this vulnerability is), they can clearly do so without using the Wordpress core interface. PHP kind of has that functionality built in.
  The real problem is that almost all installations of Wordpress ensure that their files are editable by the web process user in order to use the auto-update feature. That ensures that *any* vulnerability instantly owns your entire Wordpress installation. It serves almost no other purpose. If the web process user cannot edit the core PHP files, then Wordpress cannot update itself, and neither can any injected scripts. I will grant however, that once you allow executable PHP in database-stored content, it doesn't matter much whether the files are editable or not, because the database storage becomes the tool of the attack.
5. Re: wait, what? by drinkypoo · 2015-04-28 01:22 · Score: 1
  
  The real problem is that almost all installations of Wordpress ensure that their files are editable by the web process user in order to use the auto-update feature.
  Sure, but that's a necessary feature of any self-updating CMS. And if you're hosting it, you usually only have one username anyway, so the files can't be owned by another user.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re: wait, what? by Anonymous Coward · 2015-04-28 03:13 · Score: 0
  
  Those who are more paranoid acknowledge that ownership problem and do updates using an alternate method, i.e. login.
7. Re: wait, what? by parkinglot777 · 2015-04-28 03:16 · Score: 1
  
  And all this can be prevented if administrators simply adding one line to their wp-config.php
  If you read TFA, you would know that your comment tends to illustrate that you are on the high horse. Your statement is similar to "what should have been done," but that is not the point. The point is that the exploitation is still alive and people should be aware of. If they need to prevent the exploitation, then they could do it in many ways which may include what you said.
  
  “An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,”
  
  Pynnonen said the best solution until a patch is made available is to disable comments and not approve any.
8. Re: wait, what? by drinkypoo · 2015-04-28 03:45 · Score: 1
  
  Those who are more paranoid acknowledge that ownership problem and do updates using an alternate method, i.e. login.
  I don't think you understand what I said. If you've only got one uid, then both your web user and your shell user are the same user. This is typical of low-cost hosting services. Unless you're colocating, you've typically only got one uid. This ain't the law, some providers will let you crank them out, especially if you're chroot'd.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re: wait, what? by Just+Some+Guy · 2015-04-28 06:18 · Score: 1
  
  Wordpress provides a large amount of hardening functions like this
  ...which are completely freaking worthless if they're turned off by default. 99.9% of users will never visit and study every available config option, and the other .1% will be wondering why it's not the default setting if it's so great.
  Your post is like those who insist that MySQL has safe data settings for those who know how to enable them, while ignoring the fact that almost everyone uses the configuration as shipped. Unsafe by default is an insane and undefensible way to distribute software. In fact, I can't think of a good justification for ever allowing the unsafe values to be set.
  
  --
  Dewey, what part of this looks like authorities should be involved?
10. Re: wait, what? by Anonymous Coward · 2015-04-28 07:13 · Score: 1
  
  And all this can be prevented if administrators simply adding one line to their wp-config.php
  define('DISALLOW_FILE_EDIT', true);
  Why the fuck isn't that the default? If an "administrator" needs this functionality, they should have to intentionally turn it on. Having all of these whiz-bang cool features turned on by default is half the problem. Most people who install Wordpress onto their GoDaddy account and head off to the races aren't "administrators," and don't need to have this stuff exposed.
I say it's the fault of the NEOCONs by Anonymous Coward · 2015-04-27 17:54 · Score: 1, Funny

Whenever I see people accusing the Liberals for anything I get angry, very angry

... this seems more a fault of highly liberal error handling on the part of Web browsers and MySQL ...

It is the fault of the NEOCONs all the while
If not because of the goddamn NEOCONs everybody would have been using postgresql rather than that piece of turd mysql
And still we don't learn by Aethedor · 2015-04-27 18:23 · Score: 1, Insightful

And still we keep on using Wordpress. When will people start looking beyond a nice and shiny interface and put quality (which includes security) at the top of their priority list. When you made the first selection with that criterion, you can look for the most fancy interface. And don't give me the excuse of 'but my web editors have to be able to use it'. Bullshit, lame excuse. Fire them and hire more competent personnel or send them to a proper training.

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
1. Re:And still we don't learn by Martin+Blank · 2015-04-27 19:28 · Score: 2
  
  People go to the shiny sites. If they see older-looking sites, they're less likely to stick around, particularly if it doesn't have the nice features that the newer sites have.
  For all the problems that PHP has, I don't see many nearly as many sites going up built on other platforms, in large part because they're playing catch-up and are still largely years behind. .NET is probably the closest, but when you look at the number of free or even inexpensive sites running Windows, it pales in comparison to the PHP-based sites.
  Add to this that WordPress is by far the easiest of the major CMS platforms to manage, and it gets even worse. I manage a couple of WordPress sites and a Joomla site. WordPress largely Just Works(TM). Joomla works for basics, but every time I want to get beyond adding a menu item, it becomes a whole new learning process.
  
  --
  You can never go home again... but I guess you can shop there.
2. Re:And still we don't learn by l0n3s0m3phr34k · 2015-04-27 19:56 · Score: 1
  
  so what easily deployable CMS do you now endorse?
3. Re:And still we don't learn by Anonymous Coward · 2015-04-27 20:09 · Score: 1
  
  Microsoft Frontpage
4. Re:And still we don't learn by Aethedor · 2015-04-27 20:41 · Score: 2
  
  A not-so-shiny CMS doesn't mean that the website you create with it can't be shiny. Those are two separate things. Of course, the actual website must be shiny, but the CMS should be (if you ask me) secure and trustworthy.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
5. Re:And still we don't learn by thegarbz · 2015-04-27 20:59 · Score: 1
  
  When will people start looking beyond a nice and shiny interface and put quality (which includes security) at the top of their priority list.
  As soon as another easy to use, easy to implement system comes along that can replace it. Next you'll be complaining we don't all program by tapping the 1 and 0 button on the keyboard in a certain pattern.
  Abstraction has it's place, and there's essentially no alternative to wordpress that has the feature set, documentation, ease of use, and user group behind it.
6. Re:And still we don't learn by Aethedor · 2015-04-27 21:02 · Score: 1
  
  And before you come up with "but my Wordpress websites also have never been hacked", I meant: hack-free without any update or me having to worry about its security.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
7. Re:And still we don't learn by Anonymous Coward · 2015-04-27 21:08 · Score: 1
  
  Get off your high horse. People no longer use shared website hosting with manually crafted pages using "web developers", they use GUI driven commercial websites that use various packages instead. Don't blame the user for trusting professional services, blame the shitty programmers that don't write secure applications. I wonder why you're so defensive.
8. Re:And still we don't learn by Anonymous Coward · 2015-04-27 22:01 · Score: 0
  
  He uses the Banshee PHP framework.
9. Re:And still we don't learn by Jesus_666 · 2015-04-27 22:05 · Score: 2
  
  The company I work for has decided to drop WordPress and develop a new CMS that does exactly what we need in-house. We mostly need static pages so there's no need to load an entire application platform (which is what WordPress is, essentially) every time anyone wants to view a page. Plus, WordPress does what it does slowly, plus we need tons of plugins (which eat even more performance) to get the functionality we need, plus many WordPress plugin authors think "best practice" is where you find a good doctor.
  
  Sure, it's going to take some time to develop but we can take the 20% of WordPress's functionality we actually need, cover the functionality WordPress doesn't offer natively without relying on modules of questionable quality and have a web-facing dynamic codebase that's so small we can be reasonably certain it's not vulnerable. (Essentially, the only PHP code on the published website should be a simple session management script so we can put content behind a password with more flexibility than .htpasswd.)
  
  Despite writing everything ourselves we still expect to save money in the long term, simply because WordPress generates so much work for both our employees and our server. It's okay for a basic blog if you can babysit it but anything beyond that becomes a nightmare.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
10. Re:And still we don't learn by geekymachoman · 2015-04-27 22:27 · Score: 2
  
  Because it's easy to install and maintain, it has millions of free templates and plugins and it's highly flexible.
  Because small startups cannot AFFORD a custom coded CMS, themes, plugins or TRAINING.
  Small startups/businesses in my experience are majority of wordpress users and their money is better spent on marketing, paychecks, and everything else that's needed to get the project off the ground.
  I can literally set you up with a site and a ecommerce system in 20 minutes for FREE - that's why. The site that will be functional and professional looking.
  The guy I work for now is doing sales of his own brand product. All his sites are in wordpress including the shop site. All of these were made by "clueless" people (in terms of IT knowledge) and he's doing $35k USD a month in sales after 1 year of doing it.
  It's a small startup, and if wordpress didn't exist - his business wouldn't exist and salaries for 4 people wouldn't exist.
  Wordpress has pretty good support as well. Updates are released often, and on dashboard you get notified of those updates - after which you do 2 clicks - done. Up2date, vulnerability gone. If they don't fix known bug, cool - hire somebody to fix it for you.
  I know slashdot people like to shit on wordpress, PHP etc., but hundreds of thousands of businesses are on internet because of wordpress. It's a great CMS.
  Internet is not only geek's playground anymore. Common people are on it now and are running their own internet business thanks to wordpress/joomla, facebook apple and the likes. But I also know average slashdot nerd don't care or understand much about how things work outside of what he does for a living.
11. Re:And still we don't learn by Aethedor · 2015-04-27 23:26 · Score: 0
  
  I don't think you arguments are valid. There is much more between a free Wordpress website and a custom coded CMS + all the extra's. You know this. And sure you can setup a website in 20 minutes for free. But if that's the price you want to pay, than that's the quality you get. And btw, I also can setup a website within 20 minutes for free, but with a CMS that even the most skilled hacker will have a hard time with to hack.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
12. Re:And still we don't learn by Anonymous Coward · 2015-04-27 23:37 · Score: 1
  
  Sounds like you're re-inventing the wheel there.
13. Re:And still we don't learn by Anonymous Coward · 2015-04-27 23:47 · Score: 0
  
  Microsoft Frontpage
  That's not a CMS. It has some save-time components in it but it just makes flat HTML files.
  Speaking of which, the last version Expression Web 4 is available for free from MS, and isn't too bad of a competitor for older versions of DreamWeaver. (The newer versions of DW have gone off the rails stupid in candy-coating stuff and making it hard for real developers.) If you are looking for a free substitute for DW check it out.
14. Re:And still we don't learn by turbidostato · 2015-04-27 23:48 · Score: 1
  
  This looks like a non-answer, then. Since Banshee is a framework, not a CMS.
15. Re:And still we don't learn by Jesus_666 · 2015-04-28 01:11 · Score: 1
  
  We are, yes. But we do need some functionality that, right now, is implemented as an elaborate WordPress theme that still doesn't do everything we need. A traditional CMS or blog software is really a poor match for what we're trying to do and trying to shoehorn our needs into one led to several years of frustration.
  
  There are solutions that almost do what we need but those are all offered as services and it's not easily possible to integrate the rest of what we want with them. Plus, they're technically our competition.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
16. Re:And still we don't learn by drinkypoo · 2015-04-28 01:19 · Score: 1
  
  Add to this that WordPress is by far the easiest of the major CMS platforms to manage, and it gets even worse. I manage a couple of WordPress sites and a Joomla site.
  Haven't tried Drupal eh? Damning with faint praise, but it's notably better than WordPress. The only PITA is dealing with database access, but so far I've been able to do that through other modules' code and haven't had to do it directly.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:And still we don't learn by Anonymous Coward · 2015-04-28 01:29 · Score: 0
  
  And still we keep on using Wordpress. When will people start looking beyond a nice and shiny interface and put quality (which includes security) at the top of their priority list. When you made the first selection with that criterion, you can look for the most fancy interface. And don't give me the excuse of 'but my web editors have to be able to use it'. Bullshit, lame excuse. Fire them and hire more competent personnel or send them to a proper training.
  Wordpress is Open Source.. feel free to kick in and help.. it's easy to sling mud sitting on your lazy butt in the cheap seats..
18. Re:And still we don't learn by Anonymous Coward · 2015-04-28 01:42 · Score: 0
  
  Because anyone doing web "development" in marketing companies nowadays are script kiddies with no understanding of CS who copy and paste what they find on the Internet to make their next parallaxing masterpiece, without a thought to security or maintainability.
19. Re:And still we don't learn by Martin+Blank · 2015-04-28 02:20 · Score: 1
  
  I tinkered with Drupal, but the philosophy behind Joomla to abstract as much of the code as possible was appealing, and this was right after the SQL injection vulnerability discovered in October, so my trust of their code was lacking. Maybe Drupal would be better than Joomla on a daily basis, but at the time, it just had too much going against it.
  
  --
  You can never go home again... but I guess you can shop there.
20. Re:And still we don't learn by Martin+Blank · 2015-04-28 02:23 · Score: 1
  
  This is all true, but people are more likely to go with what's available (generally meaning pre-made themes) or what developers work on most often (meaning the major platforms). Finding hosting that offers alternatives to PHP may also not be the easiest thing, especially if you don't know about PHP's history.
  None of this is insurmountable with knowledge and/or research, but it's a larger hill than that of PHP, so the tendency will be for people to go the easier route.
  
  --
  You can never go home again... but I guess you can shop there.
21. Re:And still we don't learn by drinkypoo · 2015-04-28 03:44 · Score: 1
  
  I haven't messed with Joomla much so I can't speak as to which is better, but I'm pretty clear that Drupal is at least slightly better and less of a headache than is Wordpress.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
22. Re:And still we don't learn by squiggleslash · 2015-04-28 04:00 · Score: 1
  
  Well there's always this one, renowned for its modern easy to use UI and functionality, speed, lack of bugs, and that it almost never generates 504 errors.
  
  --
  You are not alone. This is not normal. None of this is normal.
23. Re:And still we don't learn by Anonymous Coward · 2015-04-28 15:04 · Score: 0
  
  The most recent version of WordPress contains approximately 8.3 megabytes of PHP, split across 479 files. Which do you suppose is going to be the easier thing for most operators of WordPress blogs?
  Audit the entire server-side codebase (or at least everything that can possibly be hit by non-administrators), possibly with little or no experience with PHP.
  or
  Take all of the content from the blog (or just whatever is important), reformat it either as set of static html documents or as whatever is needed for a simpler CMS.
24. Re:And still we don't learn by cayenne8 · 2015-04-29 04:31 · Score: 1
  
  And btw, I also can setup a website within 20 minutes for free, but with a CMS that even the most skilled hacker will have a hard time with to hack.
  Which one are you talking about? I'm seriously interested in exploring other options!!
  Thanks!!
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
25. Re:And still we don't learn by Aethedor · 2015-04-29 06:39 · Score: 1
  
  I'm talking about the Banshee PHP framework. I'm open to feedback. But when I get the usual vague claims about issues without any proof or pointless flaming about how it's not anything like Wordpress, then I'm out.
  
  --
  It doesn't have to be like this. All we need to do is make sure we keep talking.
26. Re:And still we don't learn by Anonymous Coward · 2015-04-29 13:21 · Score: 0
  
  Why can't it be both? Security ignorant users, and lazy (shitty) devs.
27. Re:And still we don't learn by Martin+Blank · 2015-04-30 01:55 · Score: 1
  
  WordPress is trivially easy to use. That's it's draw. Just figuring how to edit a menu in Joomla took significant effort, and I still have to refer back to my notes to figure out how to do it if it's been a few weeks and I need to create something from scratch. It's significant overkill for someone who just wants to set something up to get their words out to the world.
  There are other issues that can be a headache as well. A lot of people rely on auto-installers to get things in place, but Joomla's web install functionality has been disabled since the upgrade to 3.4 (or at least it still was the last time I tried to use it a couple of weeks ago). It's trivial for me to get around that, though I admit that I would be happier just clicking the install button instead of going through the extra steps, some of which aren't options for people on servers with small max upload sizes.
  Maybe these wouldn't be issues with Drupal, but at this point, I'd rather not go through the potential headache of finding out when the site is working fine under Joomla. But on the main point, people will go with ease over security almost every time, and that means WordPress wins.
  
  --
  You can never go home again... but I guess you can shop there.
Admin at fault by Anonymous Coward · 2015-04-27 18:42 · Score: 0

OTOH, an admin who administrates a blog site with a browser *and with Javascript enabled* just gets what (s)he deserves.
1. Re:Admin at fault by Stewie241 · 2015-04-28 01:08 · Score: 1
  
  Ummm... I suspect that Wordpress administration does not work or at least does not work well with Javascript disabled.
Reminds me of Linux by Anonymous Coward · 2015-04-27 18:50 · Score: 0

Zero-day vulnerabilities that keep popping up almost every day...
The two combined, it's no surprise websites are defaced all the time. We need a new paradigm here.
1. Re:Reminds me of Linux by Anonymous Coward · 2015-04-27 19:05 · Score: 0
  
  > Zero-day vulnerabilities that keep popping up almost every day...
  Satya, is that you? Do you want to help us with that? For the grater good?
2. Re:Reminds me of Linux by Anonymous Coward · 2015-04-27 21:07 · Score: 0
  
  I admit, it's me. But it could be you as well. We have great shilling programs if you are interested in earning some extra bucks.
Word Press? Wow! by udippel · 2015-04-27 19:08 · Score: 1

I used to offer WordPress as blog engine to my users. Like .... 7 or 8 years ago. And half of my time was spent updating, upgrading, and cleaning up after WordPress. After close to 1 year I had withdrawn this offer.
Is there no way to simply prohibit this piece of malware-spouting horribly bad architectured s**tware that seems to have been lingering about ever since?
1. Re:Word Press? Wow! by Anonymous Coward · 2015-04-27 19:17 · Score: 2, Insightful
  
  So you have no contact with the software for the past 6 years but you are convinced you know everything about it. Great.
2. Re:Word Press? Wow! by Mormz · 2015-04-27 19:50 · Score: 2, Informative
  
  Cleaning up after Wordpress? You mean cleaning up after sloppy developers who don't know how to develop in PHP.
  Anyway, Wordpress is by far the most popular CMS, and it's not just the shiny interface. Ease of development. Problem are the developers who don't know even how to code, much less bother to RTFM. I don't deny that Wordpress sites can be a mess, but that's mostly to poorly designed plugins "developers" stuff. I use WPML and Timber, everything else is coded by me and my team.
  Wordpress core is as secure, and faster than any other popular PHP CMS. Larger attack base so sometimes shit happens.
  
  --
  Imagination is more important than knowledge. Having both makes one a genius.
3. Re:Word Press? Wow! by gl4ss · 2015-04-27 20:28 · Score: 1
  
  so because wordpress core is installed on so many servers, that's why the code magically did not have a length/content check on it?
  what logic is that? shouldn't it be the other way around.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Word Press? Wow! by _merlin · 2015-04-27 21:17 · Score: 1
  
  It isn't as bad as it used to be. There are far fewer security issues found these days, and they don't tend to botch major releases the way they used to. However it's succumbing to bloat, each release bigger than the last.
5. Re:Word Press? Wow! by Anonymous Coward · 2015-04-27 22:47 · Score: 1
  
  He's saying that shit happens, and any other product you use or write yourself is going to have some vulnerability in it that just may not be discovered because nobody cares to look. WordPress runs something like 19% of all internet sites. And yet, how often do you hear about WordPress core (not plugin) vulnerabilities? The last I can remember before this one was a handful of them in 2009.
  I'd honestly have to say that core WordPress is one of the most secure pieces of non-trivial software in existence today. There's no bigger target for hackers, it's code is open for anyone to read through and find attack vectors, and yet (aside from this) the only thing anyone can ever come up with are plugins written by third parties.
6. Re:Word Press? Wow! by dave420 · 2015-04-27 22:53 · Score: 1
  
  WordPress's codebase is a fucking mess, which has a great part to play in the clusterfuck of security which is WordPress. Expecting developers to code great plugins on top of a shitty codebase is asking for trouble.
7. Re:Word Press? Wow! by pubwvj · 2015-04-28 00:53 · Score: 1
  
  "I used to offer WordPress as blog engine to my users. Like .... 7 or 8 years ago. And half of my time was spent updating, upgrading, and cleaning up after WordPress."
  Well there's your problem. WordPress 4.2.1 of 2015 is a totally different system than what you were using. It is now much easier to update, upgrade, clean and manage. Try it again.
My Wordpress is 4.2.2 by l0n3s0m3phr34k · 2015-04-27 19:53 · Score: 1

It auto-updated today, probably in response to this.
WordPress XSS cross-site scripting vulnerability . by DougPaulson · 2015-04-27 19:58 · Score: 2

How can this WordPress vuln be exploited to further leverage access to the underlying Operating System.
Louise. by Anonymous Coward · 2015-04-27 21:05 · Score: 0

Louise was again guilty lying on the hammock relating to her Rio journey.
"Zero day"? by wonkey_monkey · 2015-04-27 21:36 · Score: 5, Insightful

Doesn't "zero day" only really apply to attacks, not vulnerabilities themselves?
After all, every vulnerability is a zero day vulnerability on the day it's discovered/disclosed (and actually it seems there's no indication of whether or not WordPress already knew about this one).
And this one was disclosed yesterday (and may have been discovered much earlier) so it's at least a one-day vulnerability now.

--
systemd is Roko's Basilisk.
1. Re:"Zero day"? by Anonymous Coward · 2015-04-27 22:12 · Score: 0
  
  It's 0-day when the developer of the vulnerable product wasn't given any pre-publication warning on the issue.
  It has nothing to do with the availability of an exploit, which is often left as an exercise for the reader.
New Zero Day Discovered In WordPress Core Spagetti by Qbertino · 2015-04-27 22:39 · Score: 1

New Zero Day Discovered In WordPress Core Spagetti.
FTFY.
(Note: I currently make a living developing/deploying with WordPress)

--
We suffer more in our imagination than in reality. - Seneca
discovered in the WordPress 4.2 by pubwvj · 2015-04-27 23:54 · Score: 2

"discovered in the WordPress 4.2 and earlier core engine"
WordPress is on version 4.2.1 and makes automatic nightly updates and if comment moderation is turned on fully and always then this is not an issue.
Keep up-to-date.
Moderate comments.
Both of these practices are good for other reasons.
Reporting bugs to them is useless by Sun · 2015-04-28 06:20 · Score: 1

Reported a zero day used to attack my site two weeks ago. Attached tcpdump of attack.
Have not heard back. Not even a simple "We've received your report and will get around to it whenever".
Shachar