WordPress.org

Ready to get started?Download WordPress

Forums

WordPress with "Highly critical" vulnerability From Remote (8 posts)

  1. udippel
    Member
    Posted 9 years ago #

    [Moderated - URL removed]

    Input passed to the "cache_lastpostdate" parameter via cookies is not properly sanitised before being used. This can be exploited to inject arbitrary PHP script code.

    Successful exploitation requires that "register_globals" is enabled.

    The vulnerability has been confirmed in version 1.5.1.3. Other
    versions may also be affected.

    I would have expected to see a warning on the WordPress site. Disappointing.

    I'll close the blogs I am hosting for the time being.

  2. Mark (podz)
    Support Maven
    Posted 9 years ago #

    There is a search box here - using it would have got you the answer.
    Disappointing you didn't see fit to use it.

  3. udippel
    Member
    Posted 9 years ago #

    Of cause I did. Maybe it is a disappointing search function ? ;)

    Definitively I also tried the main page; there was no hint; there is no 'news'; tried the 'support' page, and there was no topic 'security', but:

    404 admin archives blog calendar categories category comments CSS database email Error feed gallery header help htaccess IE image images Import installation link links login MySQL page Pages permalink permalinks photoblog php plugin post posts problem review RSS search sidebar tags template Theme upgrade wordpress

    Seriously, it should not be the secunia advisory pointing out possible problems, but WordPress home, support, news or whatsoever. IMHO.

    Try it out: Type 'security' in the search box; and what you get is older than 3 weeks; the first doc of May 2005 (if memory serves well).

  4. ifelse
    Member
    Posted 9 years ago #

    Further discussion on this topic is likely to be counter-productive but for the purpose of closure, I'll quickly point you to Skippy's good response on this topic.

  5. udippel
    Member
    Posted 9 years ago #

    Thanks for the pointer. Really.
    I still would appreciate something like this (further down) linked to from the home page; including the e-mail link.
    This would show security concerns openly; I would not have felt a need to post this in here.
    Open Source also means transparancy; and a contact mail for concerns.
    Maybe you can think about less obfuscation. It would have avoided this thread.

    Uwe

    Every single reader here is invited to participate in WordPress' development. If you notice problems, please log them at trac.wordpress.org. If you discover a severe vulnerability, email security@wordpress.org. The Open Source mantra is "With many eyes, all bugs are small." By working together, we can squash bugs and make sure that WordPress is as secure as it can be.

  6. skippy
    Member
    Posted 9 years ago #

    The WordPress Contact Page has contact information, including the security alias link. Although it's not on the front page, I hardly call that obfuscation.

    This doesn't belong on the home page, or in the dev blog, for several reasons. First, the number of people at risk from this exploit are comparatively few. Second, it's a problem that affects more than just WordPress. Yes, we are taking steps to mitigate the risks, but if your hosting provider has register_globals enabled, despite the default configurations in PHP 4.2.0+ and the warnings about the matter that have been made for quite some time, you can hardly solely accuse WordPress of being insecure. You should also contact your host.

    We've shared several ways that users can resolve the problem:
    register_globals = off in your php.ini file
    php_flag register_globals = off in your .htaccess file.

    Security concerns are a delicate matter. As I said before, we have an obligation to our users to remain calm, and to thoroughly evaluate our response. It's easy to point out security problems. It's harder to fix them. You are invited to help us fix them.

  7. jbourne
    Member
    Posted 9 years ago #

    Please note that this should be:
    php_flag register_globals Off
    if placed in a .htaccess file

  8. skippy
    Member
    Posted 9 years ago #

    Thanks jbourne -- I edited my post.

Topic Closed

This topic has been closed to new replies.

About this Topic