WordPress.org

Ready to get started?Download WordPress

Forums

New SQL Injection vulnerability? (42 posts)

  1. whit
    Member
    Posted 8 years ago #

    Gentoo is reporting that all WordPress versions < 2 are vulnerable if comments are enabled. Yet I'm not finding a warning prominent on WordPress.org or instructions on how to patch 1.5.x versions to fix this. What's up with it?

    (See http://www.gentoo.org/security/en/glsa/glsa-200603-01.xml)

  2. TechGnome
    Moderator
    Posted 8 years ago #

    Well, I guess that solves a problem for me....

    A shame really.

    -tg

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Crap.
    Please can this be patched against ?

    Edit:
    If you are using 1.5.2, backup your database.
    Frequently.

  4. TechGnome
    Moderator
    Posted 8 years ago #

    Comment #10 on the bug page: http://bugs.gentoo.org/show_bug.cgi?id=121661
    reads as follows:

    ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through security@wordpress.org and discussed the bug with him. His comments were:

    "1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1.
    We hadn't planned on backporting anything to 1.5.2."

    So it's OK to release with me.

    So that sounds like a "uh, no." to me.....

    Like I said, it just made a decision easier for me.

    -tg

  5. vkaryl
    Member
    Posted 8 years ago #

    And wasn't it of course only a matter of time anyway....

    Poop. Good thing I've been getting familiar with 2.0.1 - *sigh*

    Even though I'm the queen of redundant backups, I'm not gonna mess with trying to stay with 1.5.2 I guess.

  6. whooami
    Member
    Posted 8 years ago #

    the fix for that.. rather "how" to fix is on trac. Podz, I think youre the one that linked to the changed files in another thread..

    compare the comment-functions.php's:

    2.0.* :

    function wp_filter_comment($commentdata) {....

    $commentdata['comment_agent'] = apply_filters('pre_comment_user_agent', $commentdata['comment_agent']);

    .. and so on..

    kses.php was the other file that changed as well if I remem. correctly.

    (nice that I moderate everything)

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    vkaryl - "And wasn't it of course only a matter of time anyway..."

    so 2.0.2 will be insecure by definition ?

  8. vkaryl
    Member
    Posted 8 years ago #

    I think everything is "insecure by definition" simply because there's a whole world of idiots out there who spend their lives digging to find exploitable areas.

    Be nice to be wrong.

  9. whooami
    Member
    Posted 8 years ago #

    this is actually old ...see #5

    oops, I guess a link is needed.

    http://www.frsirt.com/english/advisories/2005/0925

  10. lhk
    Member
    Posted 8 years ago #

    Hi,

    do I understand correctly that moderated comments are not touched by that problem?

    LHK

  11. whooami
    Member
    Posted 8 years ago #

    thats what I read. shall we try it? I have a ua switcher extension installed :) fwiw, I cant even view my site WITH a ` in my u-a (go figure, cookies)

  12. kickass
    Member
    Posted 8 years ago #

    whooami, am I to understand from what you said above that 1.5.x can be patched at least temporarily? I have not the time nor the patience right now to do a complete upgrade on my own blog and deal with the resulting fallout from the buggy 2.0.1. Bad enough I have to CLEAR EVERY DAMN THING in my client layouts right now just to get that bad b&tch to render them right (whereas 1.5.x doesn't need any of it.) *grumbles about hackers, bugs, and life in general*

  13. lhk
    Member
    Posted 8 years ago #

    LOL whooami,

    you're way above my head ;-)

    I'm just wondering whether I still have some time before I need to update other blogs I also maintain which still are on 1.5.2. Comments usually are - as per definition - set to moderated for blgsites I set up for people, because it's not really spam they need to guard against, rather competitor nastiness.

    After seeing quite a few problems people have here with updating, I want to sandbox all the updates first and had hoped to be able to do that at leisure.

    LHK

  14. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Do NOT upgrade to 2.0.1 !!
    You'll have to then upgrade to 2.0.2

    Wait. Hopefully the dev blog will have something. Soon.

  15. vkaryl
    Member
    Posted 8 years ago #

    Hey, that's nice (sarcasm should be assumed there).... what's happened to my tester's list emails that should have info about this? I only got one digest yesterday, nothing so far today....

    Last thing I read, 2.0.2 was still on hold. Sheesh.

  16. lhk
    Member
    Posted 8 years ago #

    Hi Podz,

    and why is it such a horror to upgrade to 2.0.2 from 2.0.1? *scratching my head*

    LHK

  17. Mark (podz)
    Support Maven
    Posted 8 years ago #

    lhk - go for it.

  18. whooami
    Member
    Posted 8 years ago #

    well.. If you compare some files, the changes are evident. Theres some pre_comment filtering done in 2.0's wp-comment.php thats not done in 1.5.2's.

    For those of us that are defiant, im confident it could be done with some editing.

    Ironically, heres one change from 1.5.2 to 2.0 that I missed all together (ive done a fair amount of comparing too)

    http://wonko.com/article/362

    its "fixed" in the current download and the change to your 1.5.2 file breaks nothing. Thats a whole nother issue but still...

    --------

    For now, I'm good, I moderate, and unfortunately the rest of my day is pretty much spent (and then I work), I will be looking at this over the next day or so. Again, though, Im defiant.

  19. lhk
    Member
    Posted 8 years ago #

    podz - do I read sarcasm there? *still scratching - as I haven't done more than upgrade 1.5.1 to 1.5.2 so far*

    LHK

  20. whooami
    Member
    Posted 8 years ago #

    off topic, but here are two apps that are must have if you use windows >

    windows grep: http://www.wingrep.com

    beyond compare: http://www.scootersoftware.com
    bc allows you to to do side-by-side comparisons of files, similar to diff, just with a gui.

    they are absolutely invaluable.

  21. vkaryl
    Member
    Posted 8 years ago #

    Ooo. Yes, grep is great but I never ran across bc before! Thanks....

  22. niziol
    Member
    Posted 8 years ago #

    This question is a little off topic, but somewhat related. I see these .diff files all the time, is there some magical programme that updates the files using the .diff ones or something? I can't seem to understand what the diff is with .diff.

    If you a link to an explanation about it or if such a programme exists, to that, that would be fantastic!

    Thank you :)

  23. Chris_K
    Member
    Posted 8 years ago #

    :-) http://en.wikipedia.org/wiki/Diff

    Long story short, .diff files show the difference between what it was and what it is. Coders usually use 'em for submitting source code modifications.

  24. niziol
    Member
    Posted 8 years ago #

    Bah, of course I couldn't possibly think of wikipedia! Thanks! *himbo day 2 for me I think*

    But is there a 'patch' like programme for windows, one that will patch the file like the patch command in *nix?

    I have WinMerge, does that do the patch trick?

  25. whooami
    Member
    Posted 8 years ago #

    So Im taking my shower, and I think, self, why are we even checking the user-agent with a comment submission? Self answered: askimet?

    My guess would be that the u-a is checked IF youre using askimet. However, for those that are not using askimet, a simple fix for JUST THAT ISSUE would seem to be to removing the user-agent references all together, starting about here in comment-functions.php

    function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $comment_type) { ....
    (more below that)

    If you look at that function, I was right. its there for spam checking.

    Anyway, that would satisfy that issue if you werent using askimet, and maybe even if you were. God knows what askimet does with blank u-a's

    That said, if you look at that function, theres prolly room for other things there to be trouble as well. 2.0.*'s equivalent file contains a good deal more checking.

  26. Chris_K
    Member
    Posted 8 years ago #

    Niziol - I have WinMerge, does that do the patch trick?

    Been a bit since i used it last, but I'm pretty sure it can work with .diff files, yes.

  27. vkaryl
    Member
    Posted 8 years ago #

    Is akismet usable with 1.5.2?

  28. whooami
    Member
    Posted 8 years ago #

    I dont know, never tried ;)

    Thats clearly for spam checking purposes, the inclusion of the u-a. Its checked in functions-post.php in a similar fashion,

    function wp_blacklist_check($author, $email, $url, $comment, $user_ip, $user_agent) { ...

    ---

    I'm off, I absolutely HAVE to go to bank before work!

  29. vkaryl
    Member
    Posted 8 years ago #

    Me either.... *sigh* I suppose I can grab the number and try it. I don't want to.

    So there's a LOT of places the u-a checking would have to be whacked then, right?

  30. FruitFly
    Member
    Posted 8 years ago #

    Akismet can run on 1.5.2 -- or at least I was able to run it when I was testing it on 1.5.2. I've since upgraded the site that I use Akismet on though, and I can't remember if I did that before the the Akismet final release or before.... urg. Sorry, that's not terribly helpful.

    The only site I have to keep 1.5.2 on is one where all comments are moderated anyway... so I think I'm ok. (It's one that I hacked to absolute pieces to do something other than blog, and I *really* don't want to have to upgrade.)

    If anyone knows any different ... please say so. :)

Topic Closed

This topic has been closed to new replies.

About this Topic