So in case you were somehow blind to the five thousand vulnerabilities that came through the past two weeks, I’m going to go over the big ones and hopefully plead hard enough for you to patch your wordpress install that you won’t get owned. We’re going to talk about the plugin problems, and the most recent problem with comments, and try to secure your install.

tumblr_lihlwxu4sz1qfo270o1_r1_400

Okay, let’s get into this.

Cross Site Scripting with Plugins

So this hit last monday, and was a very well coordinated release between WordPress Core Developers, Sucuri, and plugin developers. I was impressed that anyone could get that kind of coordination through the community, but lo and behold there it was.

tumblr_mq22z7l1wx1rcatuko1_500

The issue was with two functions that developers use to create URL query strings. These functions were misused in a big way and I suggest to audit your own plugin code (if you’re a developer). The two functions are add_query_arg() and remove_query_arg()

an example of this in action is probably super familiar to everyone using wordpress but http://example.com/blog/?search=word&foo=bar


add_query_arg( 'foo', 'bar', 'http://example.com/blog/?search=word' );

You can see where/how this is used in the codex

Repairing this is easy just wrapping your function in esc_url() will fix it.


echo esc_url( add_query_arg( 'foo', 'bar', 'http://example.com/blog/?search=word' ) );

Easy fix! There’s no reason not to do it. In fact it was so easy that it was patched pretty quickly.

What was affected:

  • Jetpack fixed in 3.5
  • WordPress SEO fixed in 2.1.1
  • Google Analytics by Yoast fixed in 5.4.2
  • All In one SEO fixed in 2.2.6.2

and many more

UPDATE YOUR PLUGINS

If you haven’t updated your plugins in the last two weeks, please go ahead and do that now.

WordPress Cross Site Scripting Vulnerabiltiies

The one I talked about just now was also a problem with the WordPress core but was patched on the same day as all the plugins so if you’re running 4.1.2 (or 4.2 which was just released last week) you should be fine for that problem, however there was a new XSS (Cross Site Scripting) with WordPress that was disclosed today.

This affects 4.2, there is no patch

Here is a sweet video of the Proof of Concept:

So to break this down a little bit, WordPress truncates comments in the database to save space. This is because the TEXT column in the database only allows a maximum of 65kbs of data. If a comment exceeds this amount then it breaks the HTML on wordpress, allowing a hacker to complete the html any way they like, including adding their own scripts.

screen-shot-2015-04-27-at-10-30-33-am

Once it’s truncated in the database it looks more like

screen-shot-2015-04-27-at-10-32-08-am

Notice how the HTML isn’t completed like it’s supposed to, leaving it open until a hacker can complete the HTML as they wish.

What was affected:

If you’re running 4.2 or lower, you’re screwed on this, sorry! Hopefully wordpress releases an update soon.

tumblr_n8v57x09tc1r71c0no1_400

Although it is worrying that when the security analyst tried to contact WordPress Core about this vuln, he was ignored. He writes in his blog post:

WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.

Hopefully Sucuri can use their strong presence in the community to get this patched in short order, I hope that the WordPress Core team will treat these vulnerabilities more seriously next time instead of ignoring Security Researchers who have a Proof of Concept of the vulns.

How to fix it (temporarily)

Turn of commenting (not always possible) or make sure Askimet is installed and running, maybe install Wordfence or something similar. Don’t approve spammy looking comments!

UPDATE: WordPress 4.2.1 includes the patch that will fix this :)

What is Cross Site Scripting (XSS) and why is it bad?

So I do know a lot of people who read my blog aren’t actual security people and just people who run WordPress installations trying to live their life and look at anime gifs. So I’ll explain this for everyone who doesn’t know.

any-cowboy-bebop-fans-23750

Cross Site Scripting is probably one of the easiest ways to do hacks lately, the baidu hack that took down github used a Cross Site Scripting attacks.

How it works

Javascript, and some other types of scripts are compiled and executed on the users computer and not your server (unlike PHP and Python which are compiled and executed on your server) which leaves opportunities for attack. A hacker will insert a malicious script of function somewhere on your site without your approval and when users come to your site they will unknowingly download the malicious script and execute it.

They can really do anything to your user, but on wordpress this is usually used by malware sites redirecting traffic or capturing user data on login.

For example, attaching a javascript file to the “login” button on your wordpress install that captures the username and password and sends it to an external site while you login normally.

More on Cross Site Scripting

Last week I saw a few sites just get bad links injected with XSS attacks, and that’s the norm for WordPress sites. Just stay on top of things, honestly, vigilance is the only way to keep WordPress secure.

As always:

4dsh