Paid Advertising
web application security lab

Wordpress Vulns

As I’m getting more and more divergent from the original Wordpress codebase, I am finding more and more things wrong with it. So expect more of these as I dissect the code. Frankly, I’m pretty appalled at how a lot of it is written - you’d think after all these years the shock of how people code would wear off on me, but it never does. Anyway, in the latest round of me cleaning up the code, I found a few more vulnerabilities. I have no idea what versions this affects, so your mileage may vary. Here are the two XSS exploits against logged in administrators (this version of the exploit works only against Firefox, but you could easily modify it for IE too):

If an attacker could get the administrators to click on this link it could allow the attacker to steal cookies, read nonces for writing posts, moderating comments, writing their own PHP files, or worse. This isn’t really news, except that I want to make it clear for those of you who use Wordpress because you seeing me use it that I’m no longer using the same code base, any of the included JS/WYSIWYG stuff or any of the modules. With all the vulnerabilities over the last few months and the constant upgrading, I just don’t trust it as a reliable platform anymore. So welcome to ha.CkersPress. :)

16 Responses to “Wordpress Vulns”

  1. a flying horse Says:

    It’s exactly how I felt when I saw the WP code.

  2. Giorgio Maone Says:

    Please, ha.CkersPress for me too :D
    SVN repository?

  3. Edward Z. Yang Says:

    I’d like to second Maone’s press. I’m sure you have no interest in developing software for a live audience, but a lot of people would be interested in your “Hardened” versions of these applications. WordPress’s source is atrocious: it is this very reason why I decided not to use it for blogging.

  4. nEUrOO Says:

    A hardened version would be a very good step for Wordpress, they really have/had dozens of flaws :/
    I don’t really understand why they do not try better to find bugs and vulnerabilities, they would have more people using their soft!

  5. RSnake Says:

    There are three problems with that idea:

    1) I don’t have an SVN snapshot - I make changes to a live install, make sure it works, and then transport it over to my production install. That’s required because PHP cannot be sandboxed in any reasonable way - you have to run it like it was live to QA it.

    2) My code makes a pretty big assumption about how it’s going to be used. It removes ALL frills. Obviously I am nowhere near done auditing the code, but every time I touch it I end up deleting about half of what I see. Lots of people like WYSIWYG and JavaScript and images, and XHR functions to news on Wordpress. I, on the other hand, hate that stuff, and it gets in my way and in some ways can leak more data than I am comfortable with. Also, because I run a hacking/security website I also make certain assumptions about the people who are going to visit it. I am much more anxious to remove comments/trackbacks than I am to keep them. That might mean lost posts, but frankly, it’s worth it for the ease in administration.

    3) The code base I am working on is designed with a more holistic environment in mind. One easy example is that I don’t allow this code base to write to anything. I do not allow my web-server to upload anything under any condition to any file. That’s a major inconvenience to a lot of people and it’s outside of the basic premise of what the code base looks like and is more about how the server protects itself from Wordpress. Btw, that particular example has saved us from two 0-day attacks.

  6. Matt Says:

    I would be curious how much of your hacking of the core code could actually be done in a plugin. The plugin API allows you to filter and hook into almost any part of WP. Everything you’ve referred to so far could be disabled with a plugin. Finally a “hardened” plugin for WP would allow the changes to more easily go upstream and benefit a much larger community. I’d be happy to chat with your more about this if you’d like to drop me an email.

  7. RSnake Says:

    Nah, I’m done with Wordpress. I’ve thought about it long and hard, and while I believe what you say is true to some extent, it is also not true in other cases. A big chunk of what I hardened is simply removing entire directories. No reason for the code to be there for my needs. You can’t do that in a plugin. While plugins are a great idea, I don’t like making anything writable to a directory on my server from the web user, especially other PHP files.

    No thanks… I think I’ll stick to my own stuff! :) But I encourage other people to try. I like the idea of helping the community, but I am also not interested in wasting time debating why something is good or useful to a larger group of people (since a good chunk of what I’m doing would actually annoy a lot of users). I know why I’m doing what I’m doing and that’s enough for me.

  8. Matt Says:

    Well in the past we’ve supported things like if you delete the WYSIWYG directory WP gracefully detects and handles that. If you ever change your mind let me know, I think a lot of people in the WP community could benefit from your approach to security, even if some of your personal choices may be a little extreme.

  9. RSnake Says:

    Thanks, Matt… What’s your affiliation with WP, exactly? Even if I’m not willing to contribute directly (and btw, I totally suck at PHP) I’ll can continue to post issues as I find them. Like the following:'

  10. Sid Says:

    Rsnake: This is Matt, the Matt, the creator of WordPress. He even has his own page on wikipedia:

  11. RSnake Says:

    Hahaha…. To accurately describe my amusement at my own fauxpax is totally futile. It’s nice to meet you, Matt. I have to ask myself though, “Do I really feel bad about this?” I do and I don’t. I chose WP because I like certain aspects of it (security was actually one of those initial reasons, believe it or not). Though, I knew from day one that I would have to eventually audit it. Now I’m at that point out of frustration from continual security patches that actually break changes that I make to the code. No need to draw that explanation out.

    So, in case anyone is curious, I have gone through probably about 2% of the code base now and made roughly 75-100 changes thus far, not including what I’ve done to the server to protect it from WP. Not that I have a lot of time to spend on it, but when I get a few minutes I’ll pick a file and random and look through it. So I’ve got a while before I’ll be done auditing it to my satisfaction. That’s not normally how I like to deal with production code, but that’s the main reason I went with existing software instead of writing my own - lack of time.

  12. John Says:

    This post somehow screws up the RSS feed. Here is the error message:

    End tag ‘category’ does not match the start tag ‘description’.
    Line: 41 Character: 30

    Anyway, interesting post. :)

  13. Darkdata Says:

    Well, even if your version of wordpress would frustrate people, it still would be nice to have your version of it, for the security minded people. I personalty hate all the javascript and other stuff included with wordpress.

    Your version sounds like a little part of minimalistic blog heaven.

  14. Adam Moro Says:

    I understand that you’re saying a plugin doesn’t make sense but a “hardened” version of ANY kind could end up making you small fortune and be a huge contribution to the community. Not many WP users out there (myself included) have even a fraction of your security knowledge and IMO would be willing to pay for your stamp of approval. Even a plugin that eliminates all the vulnerabilities WP missed is something I’d pay for. Just my thoughts. Great post!

  15. RSnake Says:

    The changes I’ve made thus far are not particularly portable as that was never my intention, but as I go through this, I will start trying to keep that concept in mind. I’m pretty divergent at this point, and will be getting further and further away. One assumption I make is that you have access to the server in question. If that’s not you, this will never work. I would much prefer to turn things on and off at the server level than through an admin console. I know that sounds kludgy but it’s also far more safe. Take, for instance the latest problem I’ve found (haven’t validated it because I’m still going through the code). It appears you can force people through CSRF to upload any content you want through this page (no working exploit yet, but anyone with access to Wordpress can probably figure it out in a few minutes):

    Also, because I have no WYSIWYG, you have to write everything in raw HTML format, which some people would hate. Well, anyway, I’ll think about it. I doubt I’d make money, or charge for something like that anyway, but I’m pretty insanely busy these days, so what time I do have will probably be spent writing about the issues, rather than trying to love and care for an OSS CMS package.

  16. Adam Moro Says:

    Haha, I hear ya. I’ll look forward to reading your suggestions here then. :)