[closed] Important Security Information - Updated (29 posts)

  1. Mark (podz)
    Support Maven
    Posted 10 years ago #

    This thread is void due to the release of 1.5.2.
    Go here: http://wordpress.org/support/topic/41866

    You must UPGRADE to first!

    WordPress version is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP sites, allowing the attacker to (try to) execute code on the victim's account.

    ==Are You Vulnerable?==
    To test if your web server has this PHP option enabled, copy-and-paste the following PHP script, save it to your web site as rg.php:

    if ( ini_get('register_globals') ) {
    } else {
    echo "register_globals is off";

    Then load that page in your browser:
    If register_globals is off, you may stop reading: your site is not vulnerable to this attack.

    ==How to protect yourself==
    Download the revised wp-settings.php file. This revised version includes specific code to thwart attacks that leverage register_globals.

    To use the revised wp-settings.php file, please first make a backup copy of your existing wp-settings.php file, then simply transfer the new version to the root directory on your site.

    We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top:
    php_flag register_globals off

    (Note: on some hosts you may need to take additional steps in order for this option to have an effect. For example, Dreamhost users will need to visit their control panel and uncheck the option to "Run PHP as CGI".)

    If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.

  2. Marc
    Posted 10 years ago #

    Although I'm not on Dreamhost i attempted to update this file.

    After replacing the file WP gave me the all too common alert (to paraphrase) "it looks like you haven't installed WP, try running install.php"

    I reverted to the original file and everything is normal.

    Should I have run the install function?

  3. Mark (podz)
    Support Maven
    Posted 10 years ago #

    No - there is no need to run install. It's a simple change that should not affect anything else.

    Who is your host ?
    Are you on linux / Windows ?
    Have you tried Option 3 ?

  4. Kafkaesqui

    Posted 10 years ago #

    Keep in mind not all hosts support the php_flag directive. In those cases, updating wp-settings.php is the way to go.

  5. Marc
    Posted 10 years ago #

    Option three is the one I used and down loaded your file podz.

    The host is Ploghost located in the Philippines and the server is linux.

  6. pcmt
    Posted 10 years ago #

    The same thing happened to me as happened to Marc - option 3. I've reverted back to the original settings file, and am relying on the .htaccess mod (option 2).

  7. iand
    Posted 10 years ago #

    Podz, I think you have zipped the wrong wp-settings.php file - it has references to 'capabilities' which I think is something to do with 1.6. The raw version seems to work ok.

  8. Mark (podz)
    Support Maven
    Posted 10 years ago #

    Cheers Ian - I used an svn update file.
    The info above has been edited so the link is now gone.

  9. Marc
    Posted 10 years ago #

    podz I just did the test and the server is vulnerable. I added the new line in the .htaccess file.

    I'm also filed a support ticket with my host alerting them to this thread and asking if they would be making the suggested changes.

  10. vern
    Posted 10 years ago #

    wp-settings is in the WordPress root (/) directory in my installation and not in wp-includes/.

  11. Mark (podz)
    Support Maven
    Posted 10 years ago #

    Vern - good catch. I'll amend the above post.


  12. Mark Jaquith
    WordPress Lead Dev
    Posted 10 years ago #

    If you get this error:

    Warning: main(/home/yoursite/www/wordpress/wp-includes/pluggable-functions.php): failed to open stream: No such file or directory in /home/yoursite/www/wordpress/wp-settings.php on line 133

    You forgot to upgrade to WordPress first!

  13. vkaryl
    Posted 10 years ago #

    I'm happy to report that the new wp-settings.php works perfectly on all 8 of my wp installs, on two different hosts (both of whom were fairly unconcerned about "register_globals=on", insisting that it was strictly a wp vulnerability, etc. etc.)

    Thanks, guys. I still, I might note, have no idea how to implement the ref'd line in a currently blank .htaccess, or in which folder said .htaccess needs to be placed.... anyone can give me a link to somewhere which is an ".htaccess for dummies" site?

  14. skippy
    Posted 10 years ago #

    .htaccess is an Apache thing; see here for official documentation.

    If the .htaccess file does not exist, simply create it in your text editor, save it as .htaccess on your computer, and upload it through your FTP program to the destination directory.

    If the .htaccess file exists but is empty, simply edit it and insert the required line at the top of the file. Save it, and upload it to your site.

  15. vkaryl
    Posted 10 years ago #

    Okay, but doesn't there need to be something in there before that line? Heh, I already tried to wade through the apache docs, while I was setting XAMPP up on my local machine. Talk about non-transparent.... *sigh*

    So this PARTICULAR .htaccess file needs to be in site-root?

  16. Mark (podz)
    Support Maven
    Posted 10 years ago #

    Yes, it does .. or not.
    Put it in the same directory as your wp-rss2.php file

  17. vkaryl
    Posted 10 years ago #

    Thanks Podz....

  18. skippy
    Posted 10 years ago #

    The way .htaccess files are parsed, you have two choices:
    * you can place .htaccess in your /wordpress/ directory. This will disable register_globals for your WordPress installation only.

    * you can place the .htaccess file in your site root folder. This should disable register_globals for all your sub-directories.

    Obviously, if WordPress is installed in the site root, there's no effective difference between the two.

    The Apache web server looks first in the current directory for a .htaccess file. Then it goes up to the parent directory (if any) and looks for a .htaccess file. It will keep moving up directories until it reaches the site root for the current site.

    So, if you had
    and you placed .htaccess in /, everything should then have register_globals turned off. If instead you placed .htaccess only in /wordpress/, then /, /one, /one/two/, and /one/two/three/ would still have register_globals enabled, while your WordPress installation would not.

  19. Berlueur
    Posted 10 years ago #

    Any idea why adding a .htaccess to my site's root (where WordPress is installed, BTW) results in all web accesses giving a 500 Internal Server Error? The only thing in the .htaccess file is the instruction to turn off register_globals.

    My host is PowWeb.

    I guess I'll change the wp-settings.php file but still, I wonder why the above happens.

  20. kickass
    Posted 10 years ago #

    FYI, there are a few hosts out there that require you to go in through cpanel (or whatever other access method you have) file manager in order to edit .htaccess.

  21. vkaryl
    Posted 10 years ago #

    The .htaccess thing works fine everywhere but on the one server where apparently php runs as cgi. So I'm hoping that the new wp-settings file will take care of it on its own.... I may be asking my host to move that one domain to another server where php is run under apache....

  22. Kafkaesqui

    Posted 10 years ago #

    "Any idea why adding a .htaccess to my site's root (where WordPress is installed, BTW) results in all web accesses giving a 500 Internal Server Error? The only thing in the .htaccess file is the instruction to turn off register_globals."

    Berlueur, you'd get that error if the php_flag directive is not recognized by the server. As I noted above, not all hosts support it.

  23. Joni
    Posted 10 years ago #

    Thanks so much for this. The web host where I have the majority of my WP installs (testbeds) was safe; but two others were not. I updated the wp-settings file and attempted to edit the .htaccess file. But I got a 500 Internal Server Error until I removed the offending line. Is lack of server support for these flags the ONLY reason I'd get a 500 error or could it also be the file permissions? And what should file permissions be on an .htaccess file for optimum security?

  24. Kafkaesqui

    Posted 10 years ago #

    "And what should file permissions be on an .htaccess file for optimum security?"

    644. That gives write access only to the owner. If the error disappears after removing the line from .htaccess, then it's the directive, not file permissions.

  25. Berlueur
    Posted 10 years ago #

    Thanks Kafkaesqui.

    I managed to find a post on PowWeb's forum that indicated that php_flag doesn't work on PowWeb. (Apparently, this has something to do with PHP run as SuExed (sp?) on PowWeb for security/something reasons. Can't find the post with the details anymore...) The solution is to set the flag in a php.ini file.

    I grabbed a script from tips-scripts.com/?tip=php_ini#tip which gets the default php.ini, copies it locally and sets register_globals to Off (all of this in case PowWeb changes the default file).

    I also set up a cron job to run the script every day.

    Pretty proud of myself, considering: a) it was the first time I executed a PHP script for a specific purpose; b) I knew nothing about php.ini; c) I had never used a cron job before; d) I'm basically a complete newbie at the administration of a web site.

  26. Matt Mullenweg
    Posted 10 years ago #

    Please don't worry about .htaccess or anything like that and just upgrade:


  27. tomhanna
    Posted 10 years ago #

    Is there a place get just changed files for the upgrade (from, even if they aren't zipped up. My FTP program is slower than molasses when I have to upload all new files.

  28. cloudhopper
    Posted 10 years ago #

    Is all this wonderful info rendered obsolete by the 1.5.2 release?!

    I've been sat here thinking "should I? shouldn't I?" and then a new release appears.

    *sigh* ;o)

  29. Mark (podz)
    Support Maven
    Posted 10 years ago #

    Tom - yes. See the new thread :)

    Thread closed due to new release.

Topic Closed

This topic has been closed to new replies.

About this Topic