Site hacked using a contributors account
I feel I should air this. One of the sites I work on was hacked the other day. Somebody used a contributors account to post that they had hacked the site. I’m uncertain how they did this. But fortunately I have not allowed the contributor to post without moderation so it never went public. But short of them hacking the password, which I must now change, is there a vulnerability in the contributor user profile?
The current version, 3.2.1. Sorry I forgot to make that selection until it was already processing my post. I didn’t see that little;e blank menu till it was too late.
There are no known vulnerabilities of the type you describe in 3.2.1. How do you know that the “hacker” didn’t just have a copy of the contributor’s login details from other sources?
Thanks for your replies.
You don’t know for a fact there isn’t a vulnerability. One way or another someone did hack the site in some way and attributed it to that user. Whether they “logged-in using that account or used some other method and just attributed it to that account, I don’t know. It’s possible they hacked in using a vulnerability and the word-press system automatically assigned it to one of the users. It might be reasonable to assume that the authors of word-press deliberately had the system automatically assign an “un-owned” post to a user with the lowest credentials to reduce that information being published. After all her account doesn’t have an unmoderated publishing right. If this is the case I give a hand to the authors of word-press for taking such assistive damage reducing me sure.
It’s all speculation but I think it’s necessary to put this out in the open. I didn’t imagine this.
As I mentioned, I don’t know. I don’t know that users credentials. She’s definitely not the type to knowingly compromise her account, but at the same time I haven’t a clue what her password is so I can’t tell if she made it predictable and are forced to change it regardless. I speak to her about these matters from time to time, she knows my thoughts on using predictable passwords.
I’ve explained, using dictionary words, dates, number/character swapping, adding a few digits before or after are all predictable by an automated system. That is why I personally use 20 digit (unless there is a shorter limit applied by the site) randomised alphanumeric passwords. However I can’t expect others to do the same as they are impossible to remember.
There is no known vulnerability with WordPress. As you said clearly, though “I’m uncertain how they did this.”
And with that, WE cannot presume it’s anything in core right now. It could be a plugin, an insecure password, a security hole in the server.
No one’s saying you’re wrong, we’re answering the question of ‘Is there a known issue?’ and that is this: There is no known vulnerability. if you FIND one, please email security AT wordpress.org with the details, and DO NOT post them here 🙂
(Don’t post ’em cause some idiot might decide to try ’em out on someone else.)
Received this email just now. A big thanks to ElegantThemes +1 to them.
You are receiving this email because you are an active member of ElegantThemes.com. In the past, our themes have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/). The script is used by millions of sites and is quite popular in the WordPress themeing community. That being said, it was noted yesterday that a vulnerability exists within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212), and therefore this vulnerability may also exist in your theme (depending on when you last updated it). While that author has provided a fix, it is highly recommended that you update all of your EelgantThemes themes to their latest versions. The latest versions of our themes no longer utilize the timthumb script and therefore are not subject to this security hole.
Regardless of when you last updated your theme, I would strongly suggest that everyone update their themes to the latest version and insure that the timthumb.php file and your /cache folder has been removed. To update your theme and remove the file, simply delete your current theme via the Appearances > Themes section of the WordPress Dashboard. Then you can re-download the theme from the members area and re-upload it normally:
The latest theme versions require that your thumbnail images be hosted on the same domain name where WordPress is installed. If you were previously using timthumb.php to allow external image source by editing the file‚s $allowedSites array, then these thumbnails will no longer function.
Before updating the theme, make sure that you are using the latest version of WordPress. I would also disable all of your plugins temporarily before doing any update to insure that no compatibility issues exist. Remember to always keep WordPress, your Themes and your Plugins up-to-date to help protect yourself against any vulnerabilities.
I am sorry for any inconvenience this has caused.
- The topic ‘Site hacked using a contributors account’ is closed to new replies.