WordPress.org

Ready to get started?Download WordPress

Forums

WMF Windows image Exploit (19 posts)

  1. Mark (podz)
    Support Maven
    Posted 8 years ago #

    IF your WP files are writable AND you are on a shared server (as most of us are) then there is a risk that a file of yours could be linked to a site that, when your files load, tried to get you to download a WMF file.

    This is NOT a WP exploit or weakness.

    The link is also one that you really must not click.

    This happens because of the shared hosting environment and some idiot running a script that writes this junk into your files.
    If this happens on your blog you need to check your files for links that you did not place there. Typical places to look would be theme files though any file that is writable could be a problem.
    Also tell your webhost.

    As detailed:
    http://news.bbc.co.uk/1/hi/technology/4566504.stm

  2. vkaryl
    Member
    Posted 8 years ago #

    First point: don't make anything writeable....

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Some hosts - the bad ones - make things BE writable to work..... if that is your host, MOVE.

  4. vkaryl
    Member
    Posted 8 years ago #

    Um. And then there's the "wp-content needs to be writeable...." situation....

  5. whooami
    Member
    Posted 8 years ago #

    i second what vkaryl said - unfortunately, the same can be said for some webapps, like this one. it was enough of an issue with just recommending that the theme dirs be writable.

  6. vkaryl
    Member
    Posted 8 years ago #

    THANK YOU. I thought myself alone in the grey dim dark....

  7. whooami
    Member
    Posted 8 years ago #

    nope, and thats precisely why i will NOT be upgrading. I will not use software that requires me to be an exploit waiting to happen.

  8. vkaryl
    Member
    Posted 8 years ago #

    I've got a couple of 2.0 installs (one an upgrade to the RCs, the other to a test bed 1.5.2), because I need to keep track of stuff (so hopefully I have a clue.... yeah right....)

    MY stuff stays on 1.5.2 until hell freezes over at this rate.

  9. petit
    Member
    Posted 8 years ago #

    Yep, it's a bit scary to open up the wp-content directory for writing by anyone. It should suffice to grant writability to the web server ( and of cours the rightful owner ), but as I understand it, it's not always possible with ISP solutions. I simply don't know the user of the web server.
    I really like t have the WP 2.0 though, so - wll it's more open than I like.

  10. vkaryl
    Member
    Posted 8 years ago #

    It kind of depends on how your host sets up the shared servers - and whether apache is run under your username.... among other things.

    "more open than I like...." Scary. You don't want to go there maybe....

  11. whooami
    Member
    Posted 8 years ago #

    I remember wayyyyy back, I had a copy of Netscape Communicator (anyone reme that browser?). One of the nifty things was that it had an upload option within the browser (and no, it didnt use ftp://). Imagine that, you could actually upload with a browser.

    hmmm.....

    The implications of having an entire directory AND subdirectories World Writable are beyond the scope of one little topic here.

    I would hazard a guess that many first time WP users know very little about the risks they are taking with such a setup. They just follow instructions and wonder WTF went wrong in 2 monthes when their site is on zone-h.

    The simple fact is it's glaringly irresponsible to set up users like that.

    (And yes, Ive been waiting patiently for this topic to be brought up here.)

  12. vkaryl
    Member
    Posted 8 years ago #

    Heh. You could have emailed me a gentle nudge....

    There are altogether too many people out there right now setting up "wide open" software. Combined with the proliferation of "script kiddiedom", it's a time bomb.

  13. kickass
    Member
    Posted 8 years ago #

    Well, whose bonehead idea was it to have wp-content writable? I'm sorry but that's just . . . AARRGGHH!!!

    *takes deep breath*

    I hope whoever it is corrects this OBVIOUS mistake and SECURITY HOLE. geez. WP has been known in the past to be a quality ap. Unless this is fixed, it will certainly lose THAT rep.

  14. kickass
    Member
    Posted 8 years ago #

    oh, but I forgot to add -- CODE IS POETRY. HACKED CODE IS DIRTY LIMERICKS.

  15. vkaryl
    Member
    Posted 8 years ago #

    There's really no excuse for making any portion of an app like this one "open writeable" (meaning you don't in the developer's POV "need" to repermit the write options once you're done with them - hello? YOU ALWAYS NEED TO REPERMIT THE WRITE OPTIONS TO NON-WRITEABLE WHEN YOU'RE DONE WITH THEM). I'm pretty seriously unhappy with the whole thing, truth to say, and some "panacea" statements by the dev haven't unruffled my feathers either.... not that anyone gives a rat's ass.

  16. whooami
    Member
    Posted 8 years ago #

    http://comox.textdrive.com/pipermail/wp-forums/2005-December/001025.html

    this:

    "A simple "index.php" inside /backup/ would've done the trick just as well, without loosening permissions on the entire /wp-content/ directory, but Matt's the boss."

    is what kills me. There were other ways.

  17. vkaryl
    Member
    Posted 8 years ago #

    There's always another way. Other than the "easiest" way....

  18. whooami
    Member
    Posted 8 years ago #

    well, not to kick a down horse but honestly, I remember about 6 or so monthes ago submitting a bug report on path disclosures in the admin area, admin-footer.php, I believe (or something similar). The responses to my report were tepid at best, and given how thats the first bit of info anyone thats poking around your server is looking for, I was, at the time, surprised.

    I notice, now, that in the last couple days there is post here, somewhere, pointing out the same problem, and its not just one file, it's a few.

    Am I surprised, now? not really, unfortunately,

  19. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I've had a conversation in #wordpress just now after reading some more.

    On my host, default files are
    Directory 755
    Files 644

    If I change files to 400 (which means apache can read the file only) the server flips the permissions to 600 immediately. With perms of 600, apache can write to the file.
    As I understand it, these kiddie scripts get apache to write to the files, so if apache has write access, my files can get compromised.
    Apparently, this has less to do with the software than it does the way hosts set up their server environments. This exploit can affect any file anywhere - and it's just that phpBB, WordPress and other software is so widely used that they are the ones that are nailed each time. (I would hazard a guess that having common filenames is also an element ?).

    So from what I can gather, this WMF exploit does not look for WP files and find a security hole - it runs through a server that a host has set up lazily and cheaply. And hosts are hardly likely to hold their hands up to being cheapskates are they.

    What does not help is that many hosts do not allow files to be 644 - they require files to be much higher in order for them to be used normally. Although this does not affect this expolit and is another issue, I think this is an area where hosts should be explored to find out what's what - after all, if 644 can be bad enough, 666 just makes it worse (and again, not exclusive to WP).

    (And I know this isn't addressing the /wp-content issue !)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags