WordPress.org

Support

Support » How-To and Troubleshooting » security exploit: Multiple Vulnerabilities in WordPress 3.3.1 and prior

security exploit: Multiple Vulnerabilities in WordPress 3.3.1 and prior

Viewing 7 replies - 1 through 7 (of 7 total)
  • According to the link you posted the offical word from the vendor is:

    “We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small.”

    However, if you want to limit access to the file, you can add this code near the top right after the error_reporting(0); line.

    if(preg_match("/setup-config.php/i", $_SERVER['REQUEST_URI'])) {
    	$home = $_SERVER['HTTP_HOST'];
    	header('Location: http://' . $home);
    	exit();
    }

    This will redirect anyone who tries to access this file directly to your home page.

    what file would we be editing?

    atoon
    Member

    @badri-pillai

    wp-admin/setup-config.php
    Note: & 0 39 ; = '

    Safety: Thanks for the patch

    Pioneer Web Design
    Participant

    @swansonphotos

    I would think the security issue would occur at enabling write access to the admin file?

    wp-admin/setup-config.php
    Note: & 0 39 ; = ‘

    Not sure why it decided to change the ‘ character to that. Must have been too many special characters in a row.

    I would think the security issue would occur at enabling write access to the admin file?

    The issue, as I understand it, is that the site’s content would be stored in a db on a remote server. This would allow the attacker to insert any content they wish and have it execute on the vulnerable server.

    With that said, this has to be done during the install process. If you try to run the file after install it will check for the existence of the wp-config.php file and exit after it finds it. That’s why there is no push from the vendor to “fix” the “issue”.

    atoon
    Member

    @badri-pillai

    I installed “Lockdown WordPress Admin” plugin, which hides wp-admin.
    still have to check if it helps.

    Any comments?

    atoon
    Member

    @badri-pillai

    BTW:

    on all my WP installations:

    1) wp-admin and underlying directories are mode 755
    and owner is not web server user (e.g apache)
    find wp-admin -type d -exec chmod 755 {} \;

    2) wp-admin/* files are 644 and owner is not apache
    find wp-admin -type f -exec chmod 644 {} \;
    find wp-admin -type f -exec chown WEBUSER {} \;

    NOTE:
    – replace WEBUSER to your web server user name
    – assumed is you are in your blog docroot

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘security exploit: Multiple Vulnerabilities in WordPress 3.3.1 and prior’ is closed to new replies.