WordPress.org

Ready to get started?Download WordPress

Forums

WP 2.0.2 Update Coming? (56 posts)

  1. marke1
    Member
    Posted 8 years ago #

    Just curious if/when we will see an update to address the recently publicized security issues with WP 2.0.1?

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Which are ..... ?

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Secunia/NeoSecurity advisories are bogus. See http://tinyurl.com/ksx4s for debunking.

  4. marke1
    Member
    Posted 8 years ago #

    Thanks for the link. They're NOT bogus. It's irresponsible of you to make that claim.

    I disagree with (Robert Deaton, at the link you posted) the writer's perspective. Security issues, regardless of how "minor" one might interpret them, aggregate into serious problems.

    For example, exposing directory contents and paths is not good because if I can easily learn what code (plugins, etc) you have installed then I am one step further along in whacking your system.

    It's trivial to guard against a server "misconfig" of error_reporting (include a check in the code to make sure files aren't called directly unless they are meant to be).

    It's trivial to guard against browseable directories (include a blank index.php file). So why not just add the protection into the code? There's no reason not to unless someone doesn't appreciate security.

    At the same time, when WP folks say they offer a "secure" platform then many people, me included, expect them to take even the most minor security issue seriously and do something about it. E.g. protect users against other admin's choices; if code/files aren't meant to be exposed then ensure it stays hidden unless the user intentionally exposes it.

    For those who want to read about the issues (and see possible workarounds), see this link:

    http://www.securityfocus.com/archive/1/426442

    The notice was posted to the Bugtraq mailing list -- one of the most authoritive groups of security-minded people on the Internet. Well respected people in the security community. I'd bet that there would not be one person there who would agree with your perspective.

  5. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I have mailed the hackers list.

  6. marke1
    Member
    Posted 8 years ago #

    What "hackers" list?

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Wait for the response.

  8. NuclearMoose
    Member
    Posted 8 years ago #

    <Checks to see if the sky is falling>

    Nope.

    Over-zealous hype of alleged security holes does not help anyone. This has happened on previous occasions in the WP community, and I can assure you that when serious threats are identified, they are stopped by a very responsive coding community.

  9. marke1
    Member
    Posted 8 years ago #

    NuclearMoose: I think you misunderstand the group of people reporting problems. . . they are security people. Nitpicky, concerned. If you don't follow security stuff regularly then it's easy to downplay just about anything as trivial.

    It's good to start to get a clearer understanding of what application security means to you couple of people who responded......

    I see that both you and "podz" guard against directory browsing to at least some extent (ahem) while at the same time shouting out that it's no big deal!

    NuclearMoose, you forgot to protect your plugins dir:

    [ ] adhesive.php 20-Feb-2006 01:51 13k
    [DIR] akismet/ 13-Feb-2006 19:46 -
    [ ] brianslatestcomments..> 13-Feb-2006 19:46 5k
    [ ] dofollow.php 13-Feb-2006 19:46 5k
    [ ] favatars.php 13-Feb-2006 19:46 13k
    [ ] geo.php 15-Feb-2006 20:32 21k
    [ ] hello.php 13-Feb-2006 19:46 2k
    [ ] jeromes-keywords.php 14-Feb-2006 01:46 25k
    [ ] k2-rollingarchives.php 19-Feb-2006 12:24 4k
    [ ] linkfootnotes.php 20-Feb-2006 00:31 2k
    [ ] linkspage.php 15-Feb-2006 20:32 2k
    [ ] options-contactform.php 13-Feb-2006 19:46 4k
    [DIR] rollingarchives/ 19-Feb-2006 12:24 -
    [ ] subscribe-to-comment..> 13-Feb-2006 19:46 35k
    [DIR] wp-contact-form/ 13-Feb-2006 19:46 -
    [ ] wp-db-backup.php 13-Feb-2006 19:46 30k
    [ ] wpPaginate-v2.php 13-Feb-2006 19:46 6k
    [ ] wp_ozh_adminmenu.php 13-Feb-2006 19:46 7k

  10. Ryan Duff
    Member
    Posted 8 years ago #

    NuclearMoose

    Over-zealous hype...

    Marke1

    NuclearMoose, you forgot to protect your plugins dir:

    That about speaks for itself...

  11. dgrijalva
    Member
    Posted 8 years ago #

    Thanks for posting that guy's plugins folder. I was looking for some good plugins for my own site. I'm gonna check some of those out. ;)

    Bad form, though. It's really not necessary to go after individuals trying to help. We all get that you're a super special security consious guy, but let's keep this conversation civil.

    Oh, also, the "hackers" list is the mailing list for people working on WordPress or WordPress plugins. Maybe that is a better place to take this discussion?

  12. marke1
    Member
    Posted 8 years ago #

    dgrijalva: Dunno what is a better place. Nothing in the docs I got when I downloaded the WP package said anything about where to post what. So I took the natural route: come to the support site.

    FWIW: I'm not necessarily a "super special security conscious guy" -- but I don't want my systems cracked wide open either, nor the systems of any customers who might depend on my recommendations for software...

    Bad form, you say? Well, if it's not a big deal to allow directory browsing then what's the harm?

  13. scaturan
    Member
    Posted 8 years ago #

    it's good to see a discussion about security. not to become paranoid or anything but individuals as well as hosting service providers need to keep track or at least be aware of any advisories. :)

    i'm responsible for a few hundred WordPress sites and any alerts posted at Secunia or GulfTech always raises the red flag - at least for me.

    I'm sure the WordPress devs (and countless code contributors) are working to enhance how the platform deals with error handling, among the many things they have to deal with.

    I wonder if the WordPress project has ever hired/paid an independent security firm like Netcraft or GulfTech to audit WordPress, not necessarily to look a the code per se line by line, but run some unit tests and vulnerability scanning of some sort to address issues that have been overlooked (if any).

    if you're using Apache and/or your host allows .htaccess overrrides, you can try and disable directory listings in this manner:

    <directory /path/to/wordpress/>
    Options -Indexes
    ErrorDocument 401 "error
    ErrorDocument 403 "error
    </directory>

  14. marke1
    Member
    Posted 8 years ago #

    If you run your own servers and can control PHP installs then take a look at the Hardened PHP Project:

    http://www.hardened-php.net

  15. masquerade
    Member
    Posted 8 years ago #

    Matt has already said that 2.0.2 is ready at any moment if anything serious comes up. The actual bugs are fixed in WordPress 2.0.2, and when the WordPress development team feels something important enough for the release of 2.0.2 comes up, they will release. Obviously these vulnerabilities carry little merit with the team, and for good reason.

    Okay, so, you can see which plugins he has installed, or, instead you could make a list of all the plugins with security holes, and visit the URI and see if you get something other than a 404. Either way, any attacker can walk along and figure out which files are running. There is no cross-platform way to solve this problem, bundling .htaccess won't help non-apache users, things like this should be left to the host, as it is not a script's duty to manage the server it runs on.

    These little security advisories have been showing up since the dawn of PHP. WordPress has seen this in Gentoo's GLSA for years, and its no longer consider any reasonable threat, as there is no sane way for every script and plugin to silently fail without bloating code. Seeing that the only use that would come out of "full path disclosure vulnerabilities" is helping in further attacks, they are not a worry, as without another vulnerability involving the filesystem, this information poses an extremely low, if existant at all, risk.

    You are just as bad as the foolish security researchers who report such things, striking up FUD in perfectly harmless scripts.

  16. NuclearMoose
    Member
    Posted 8 years ago #

    marke1,
    If you want to know what plugins I use, I also happen to post a complete list here:
    http://nuclearmoose.ca/colophon/
    But thanks for posting the list anyway.

  17. NuclearMoose
    Member
    Posted 8 years ago #

    Oh, and as a follow-up, does your list show which plugins are activated? I could have 200 plugins in my folder, but if none of them are active, then what? Somebody please correct me if I'm wrong, but if a plugin is deactivated, it can't really be used against me, eh?

    Besides, I only install plugins from trusted sources. I'd be more concerned about installing a plugin where someone has malicious code hidden in the plugin somewhere.

  18. marke1
    Member
    Posted 8 years ago #

    masquerade:

    there is no sane way for every script and plugin to silently fail without bloating code.

    Try this:

    if (eregi('script-name.php', $_SERVER['PHP_SELF']))
    die('You cannot run this script directly');

    That's one line of code. Hardly what I'd call bloat. Very simple to add to any plugin not meant to be called directly by an end user (change "script-name.php" to the actual name of the script the code is included in) .

    This is good for one particular reason: Depending on how a PHP script/plugin is written, it might be able to take action on a system, even if it is not "active" in the WP config. Same goes for any PHP code actually.

  19. marke1
    Member
    Posted 8 years ago #

    NuclearMoose:

    Somebody please correct me if I'm wrong, but if a plugin is deactivated, it can't really be used against me, eh?

    Depends entirely on how that code is written. So yes, it's possible that it could be used against your system.

    If you want to know what plugins I use, I also happen to post a complete list here:
    http://nuclearmoose.ca/colophon/

    Bad idea, in my opinion. No sense giving intruders free info to potentially use against you.

  20. Firas
    Member
    Posted 8 years ago #

    NuclearMoose, depending on the actual threat, a plugin can be used against you without activation.

    WP has been around the path disclosure merry-go-round again and again. There is most likely nothing anyone can say that hasn't been brought up in past attacks and defenses about the issue.

    Serious discussion about path disclosure and whether it's a bug belongs in http://lists.automattic.com/mailman/listinfo/wp-hackers

    I'd recommend that anyone with an urge to respond further to this thread consider whether their positions haven't been summed up by marke1 & scaturan on one side or masquerade on the other already. The average user just wants to know whether they need to worry about anything new or critical, and the WP devs have decided that they don't. Disputing this decision is best done on the wp-hackers mailing list. Thanks.

  21. masquerade
    Member
    Posted 8 years ago #

    if (eregi('script-name.php', $_SERVER['PHP_SELF']))
    die('You cannot run this script directly');

    This will not work on hosts running PHP as CGI and will cause scripts to die upon inclusion of a file. This violates the WordPress coding standards, and wouldn't be committed anyways. Also imagine a url like /?dl=script-name.php, where a proper check like a strpos would return true. To create a proper check, you've just created a 30 line script.

  22. marke1
    Member
    Posted 8 years ago #

    Just some simple advice for "average WP users":

    -- put an empty index.php file in every directory on your WP install that doesn't have it's own index.php file (e.g. don't overwrite existing index.php files!)

    -- don't tell people what plugins you use

    Overall, I'd say the security issues posted by Neo Security Team on 27 Feb 2006 are not, in and of themselves, a problem. BUT, they could be used in some sort of combined attack at a later date.

    There is one way to nip all this in the bud so that WP users don't become overly excited when it crops up in the future: Guard against it in the WP code. That'd be about the end of it, wouldn't it?

  23. marke1
    Member
    Posted 8 years ago #

    podz writes on the wp-hackers mailing list:

    ------------------------------
    http://wordpress.org/support/topic/63115?replies=4

    Please kill this in the forums.
    Or not...

    P.

    ------------------------------

    http://comox.textdrive.com/pipermail/wp-hackers/2006-March/005146.html

    Please censor open, on-topic discussion?

    LOL !

  24. schestowitz
    Member
    Posted 8 years ago #

    Directory listing, which in turn exposes plug-in names, is never being linked to. Thus, it will not be indexed by search engines and flawed plug-ins will not be easily discoverable.

    You could trivially scan many blogs using a script in attempts to find vulnerabilities. PHP-Nuke, Advanced Guestbook and Coppermine are notorious in that respect.

    All in all, getting a list of plug-ins may be a convenient way for learning the blog's composition. If you target a particular vulnerability (due to third-party code), it gives the hacker no advantage. That, marke1, is why your argument and its ludicrous, overstated backing are void.

  25. Chris_K
    Member
    Posted 8 years ago #

    easy there sparky. perhaps he meant "kill it" as in, respond and put to rest? At least, that's how I took it.

  26. NuclearMoose
    Member
    Posted 8 years ago #

    Nobody said anything about censoring...where'd you get that idea, marke1?

    BTW, thanks for the clarification on activated plugins versus deactivated ones, marke1 and Firas.

    I think that this whole "don't tell anyone what plugins you use" is bullshit. Total bullshit. All you have to do is LOOK at most WP blogs, and you can tell right away that they are using various plugins, based on what you see in their content and such. Recent comments, recent posts comes to mind. Also, all you have to do is view the source of a blog and often you can see what javascript is being used and some plugins and such use CSS in such a way that you can see that a certain plugin is used:

    div class="sb-latest" - easy to see what plugin that's from.

    /wp-content/themes/k2/js/livesearch.js.php

    Should I hide the fact that I use WordPress for my blog? Why give that information to hackers?

    Should I hide the fact that I use a certain template for my blog?
    Why give that information to hackers?

    Oh, wait...maybe the WP devs are irresponsible for telling the world that you can use PHP, Apache, and mySQL to support your blog code. God knows that information is helpful to hackers, isn't it?

    I know, I'll just disconnect from the internet and then I'll be safe from everything!

  27. ringmaster
    Member
    Posted 8 years ago #

    BUT, they could be used in some sort of combined attack at a later date.

    When the "Neo Security Team" actually comes up with a working combined attack, that will be something worthy of note. What they've reported here is known and so repeatedly explained that knowledgeable WordPress folks often don't bother responding to its ilk any more.

    What concerns me is that some outfit calling itself a "security team" can come along and write about so-called vulnerabilities in software and be taken seriously. What credentials does this group have? Where did they learn to write in such poorly-spelled and grammaticized English? And how can a person place any faith in an outfit whose security reports often begin, "Maybe you think this kind of bugs are not bugs..."?

    If you've even bothered to try the suggested attack methods in the report, you know that some don't even work as described!

    In spite of the folderol generated in response to this "threat", take note that at least 5 highly prominent WordPress contributors have considered the issue thoughtfully enough to respond. Just recall that fact when you imagine a real threat report crossing the WordPress event horizon.

    And regarding computer security in general, NuclearMoose: The safest place for your data is not in a computer. Security is always a trade-off for convenience. The more convenience you get, the less security you have. See also: Airport body cavity searches - Less convenient? Yes. More secure? Arguably. ;)

    Take note of some Codex remarks on the subject of security in WordPress:

    http://codex.wordpress.org/Hardening_WordPress
    http://codex.wordpress.org/User:ringmaster/Hardening_WordPress

  28. marke1
    Member
    Posted 8 years ago #

    NuclearMoose:

    I know, I'll just disconnect from the internet and then I'll be safe from everything!

    This might help -- the world's only truly secure firewall:
    http://www.acehardware.com/product/index.jsp?productId=1340674

    LOL ! All in good fun...

  29. marke1
    Member
    Posted 8 years ago #

    ringmaster:

    What concerns me is that some outfit calling itself a "security team" can come along and write about so-called vulnerabilities in software and be taken seriously.

    Security is relative, as you point out. So obviously levels of concern differ. In my opinion, the less intruders know, the better off my sites are. This is indeed a bit of security through obscurity, and it does help.

    Once bitten, twice shy -- as the saying goes.

    Thanks for the link to the hardening doc. That'll be helpful.

  30. NuclearMoose
    Member
    Posted 8 years ago #

    marke1 said:
    This might help -- the world's only truly secure firewall:
    http://www.acehardware.com/product/index.jsp?productId=1340674

    LOL! Good one! :)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags