Support » Fixing WordPress » Important Security Information – Updated

  • This thread is void due to the release of 1.5.2.
    Go here: http://wordpress.org/support/topic/41866
    ======================================

    You must UPGRADE to 1.5.1.3 first!

    WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.

    ==Are You Vulnerable?==
    To test if your web server has this PHP option enabled, copy-and-paste the following PHP script, save it to your web site as rg.php:

    <?php
    if ( ini_get(‘register_globals’) ) {
    echo “REGISTER_GLOBALS IS ON”;
    } else {
    echo “register_globals is off”;
    }
    ?>

    Then load that page in your browser:
    http://example.com/rg.php
    If register_globals is off, you may stop reading: your site is not vulnerable to this attack.

    ==How to protect yourself==
    Download the revised wp-settings.php file. This revised version includes specific code to thwart attacks that leverage register_globals.

    To use the revised wp-settings.php file, please first make a backup copy of your existing wp-settings.php file, then simply transfer the new version to the root directory on your site.

    We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top:
    php_flag register_globals off

    (Note: on some hosts you may need to take additional steps in order for this option to have an effect. For example, Dreamhost users will need to visit their control panel and uncheck the option to “Run PHP as CGI”.)

    If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.

Viewing 15 replies - 1 through 15 (of 28 total)
  • Although I’m not on Dreamhost i attempted to update this file.

    After replacing the file WP gave me the all too common alert (to paraphrase) “it looks like you haven’t installed WP, try running install.php”

    I reverted to the original file and everything is normal.

    Should I have run the install function?

    No – there is no need to run install. It’s a simple change that should not affect anything else.

    Who is your host ?
    Are you on linux / Windows ?
    Have you tried Option 3 ?

    Keep in mind not all hosts support the php_flag directive. In those cases, updating wp-settings.php is the way to go.

    Option three is the one I used and down loaded your file podz.

    The host is Ploghost located in the Philippines and the server is linux.

    The same thing happened to me as happened to Marc – option 3. I’ve reverted back to the original settings file, and am relying on the .htaccess mod (option 2).

    Podz, I think you have zipped the wrong wp-settings.php file – it has references to ‘capabilities’ which I think is something to do with 1.6. The raw version seems to work ok.

    Cheers Ian – I used an svn update file.
    The info above has been edited so the link is now gone.

    podz I just did the test and the server is vulnerable. I added the new line in the .htaccess file.

    I’m also filed a support ticket with my host alerting them to this thread and asking if they would be making the suggested changes.

    wp-settings is in the WordPress root (/) directory in my installation and not in wp-includes/.

    Vern – good catch. I’ll amend the above post.

    Thanks!

    Moderator Mark Jaquith

    (@markjaquith)

    If you get this error:

    Warning: main(/home/yoursite/www/wordpress/wp-includes/pluggable-functions.php): failed to open stream: No such file or directory in /home/yoursite/www/wordpress/wp-settings.php on line 133

    You forgot to upgrade to WordPress 1.5.1.3 first!

    I’m happy to report that the new wp-settings.php works perfectly on all 8 of my wp installs, on two different hosts (both of whom were fairly unconcerned about “register_globals=on”, insisting that it was strictly a wp vulnerability, etc. etc.)

    Thanks, guys. I still, I might note, have no idea how to implement the ref’d line in a currently blank .htaccess, or in which folder said .htaccess needs to be placed…. anyone can give me a link to somewhere which is an “.htaccess for dummies” site?

    .htaccess is an Apache thing; see here for official documentation.

    If the .htaccess file does not exist, simply create it in your text editor, save it as .htaccess on your computer, and upload it through your FTP program to the destination directory.

    If the .htaccess file exists but is empty, simply edit it and insert the required line at the top of the file. Save it, and upload it to your site.

    Okay, but doesn’t there need to be something in there before that line? Heh, I already tried to wade through the apache docs, while I was setting XAMPP up on my local machine. Talk about non-transparent…. *sigh*

    So this PARTICULAR .htaccess file needs to be in site-root?

    Yes, it does .. or not.
    Put it in the same directory as your wp-rss2.php file

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘Important Security Information – Updated’ is closed to new replies.