[wp-hackers] WordPress security question

Chip Bennett chip at chipbennett.net
Thu Jun 7 13:37:43 UTC 2012


But that would be a faulty conclusion to draw. Taken in full context, my
previous statement *also* indicates that at one time there were Themes that
use TimThumb in Extend.

The bottom line is that people are responsible for their own server
applications. It is impossible for the WordPress project to manage core,
Themes, and Plugins remotely (not to mention: to attempt to do so would be
anathema to the free software philosophy under which WordPress operates).
The best we can do is to address issues when they are made apparent, and to
communicate. If users do not avail themselves of updates and communication,
what can we do?

There never was such a thing as "WPMU2", nor was/is there such a thing as
"WP3" or "WordPress 3". Major versions of both applications take the form
"X.Y". WordPress 3.0 is neither a more nor less significant version than
WordPress 2.9 or WordPress 3.1.

I bring this up because I often wonder if some people fail to update core
(or Themes/Plugins) because they fail to understand the versioning
nomenclature for WordPress, and thus think that "WordPress 3.0" is a major
release, but that "WordPress 3.1" is not? If so, that is a misunderstanding
that desperately needs to be eradicated from the user community.

Chip

On Thu, Jun 7, 2012 at 8:08 AM, Phillip Lord
<phillip.lord at newcastle.ac.uk>wrote:

>
>
> Yes, this is exactly my point. It's possible to draw the conclusion from
> the statement that "there are no themes in Extend that use timthumb"
> that "as I got my theme from extend, I cannot get hacked through a
> timthumb exploit". The former may be true, the latter is not.
>
> WPMU2 == wordpress multi-user version 2 which has merged with
> WP3 or Wordpress 3.
>
> In the ideal world, updates would just happen. The rest of my OS
> updates, but because I develop against Wordpress, I've not managed to
> achieve this with wordpress itself.
>
> Phil
>
> Chip Bennett <chip at chipbennett.net> writes:
>
> > There are no *active* Themes in Extend that use TimThumb. All that were
> > found were suspended. Since some time ago, Themes using TimThumb have
> been
> > blocked from even being uploaded to Extend.
> >
> > That said: we have no way of notifying users that they may be using
> > vulnerable code. As much as we would love to provide such notifications
> to
> > users (be it for TimThumb, or merely for obsolete Themes/code), we have
> no
> > way to do so. It is a limitation of the update/notification system that
> is
> > well outside of our scope/control. Either the Theme developer would have
> to
> > release an update to Extend, or else the user would have to switch Themes
> > on his own.
> >
> > Chip
> >
> > p.s. what are "WPMU2" and "WP3"?
> >
> > On Wed, Jun 6, 2012 at 9:59 AM, Mika A Epstein <ipstenu at ipstenu.org>
> wrote:
> >
> >> I didn't say it was never allowed :) it was, once, allowed. All themes
> >> have been updated (or removed).
> >>
> >> As Helen rightly pointed out, you do get theme update notifications. You
> >> don't for deleted ones, but I'm assuming (hoping?) the theme review
> folks
> >> did some sort of update? If not, yes, there are some folks with
> >> no-longer-approved themes out there, but this was pretty well posted and
> >> reported. Due dilligenece has been done. Can't make people change their
> >> oil, but the car can beep at you a lot :)
> >>
> >>
> >>
> >> On Jun 6, 2012, at 9:08 AM, phillip.lord at newcastle.ac.uk (Phillip Lord)
> >> wrote:
> >>
> >> >
> >> > Unfortunately, this this is not quite true. It may be that it is not
> >> > allowed now, but this doesn't mean that it was never allowed.
> >> >
> >> > What I never understood with Wordpress is why plugins have update
> >> > notification, while themes do not. I was one of the many who get
> >> > zero-day exploited through timthumb. The theme in question (suffusion)
> >> > had removed timthumb quite a long time before but, of course, we got
> no
> >> > update notifications, so we had not updated. More fool me, you might
> say.
> >> > Well, yes, true. Also more fool many of the other thousands who got
> >> > hacked.
> >> >
> >> > Combined with an largely undocumented schema change between WPMU-2 and
> >> > WP-3 which made the restoration from backup a long, long process. I
> was
> >> > thinking 2 or 3 hours (including VM set up), but it took 2 or 3 days.
> >> >
> >> > Phil
> >> >
> >> > Mika A Epstein <ipstenu at ipstenu.org> writes:
> >> >
> >> >> TimThumb is not a part of core, nor is it allowed in themes hosted on
> >> >> the WP theme repo (as of the last time I looked).
> >> >>
> >> >>
> >> >>
> >> >> On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com>
> >> wrote:
> >> >>
> >> >>> I've seen plenty of hacks based on timthumb vulnerabilities.
> >> >>> However, I don't think wordpress core uses timthumb. (I'm sure the
> >> group
> >> >>> will correct me here, which I invite.)
> >> >>>
> >> >>> The user is left to fend on their own when using a free or
> commercial
> >> >>> theme, to a lesser or greater extent depending on the theme vendor.
> >>  Some
> >> >>> themes do a great job of providing updates and alerting the user to
> >> theme
> >> >>> and framework udpates (and thanks to WP3 we can see that in the
> usual
> >> >>> updates area).  The problem is that when you customize a theme,
> updates
> >> >>> become more visible.
> >> >>>
> >> >>> One of the most disturbing bits of advice I heard recently is that
> if
> >> you
> >> >>> use a custom theme, you shouldn't update wordpress.  I'm sure what
> the
> >> >>> speaker meant was to work with your vendor to make sure that WP and
> all
> >> >>> plugins and themes stay up to date.
> >> >>>
> >> >>> mickey
> >> >>>
> >> >>>
> >> >>>> Message: 1
> >> >>>> Date: Mon, 4 Jun 2012 19:50:39 -0700
> >> >>>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
> >> >>>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
> >> >>>> To: wp-hackers at lists.automattic.com
> >> >>>> Message-ID:
> >> >>>>      <
> >> CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
> >> >>>>>
> >> >>>> Content-Type: text/plain; charset=ISO-8859-1
> >> >>>> Howdy Dan,
> >> >>>> Having cleaned up about a half-dozen sites in the past two months
> or
> >> so, I
> >> >>>> have some suggestions for things to look for in terms of
> >> >>>> backdoors/potential vulnerabilities.
> >> >>>> Most hacks I've seen come from a vulnerable Timthumb hack, an old
> >> image
> >> >>>> thumbnail script which allowed an attacker to upload malicious code
> >> to the
> >> >>>> server, giving them full shell access (or at least as much as
> >> Apache/PHP/WP
> >> >>>> has). You can read technical details about it here:
> >> >>>>
> >> >>>>
> >>
> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
> >> >>>> You can use the Timthumb Vulnerability Scanner to quickly see if
> you
> >> have
> >> >>>> any outdated versions of the script lying around:
> >> >>>>
> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/. Even
> >> >>>> an unused theme with the old version of the script is vulnerable.
> >> >>>> Most hacks definitely add crazy base64_decode script to the header
> of
> >> >>>> important files - often index.php of site root or theme root. This
> one
> >> >>>> looks like it gets around base64_decode which makes it harder to
> >> detect. If
> >> >>>> you can, ssh into the server and grep for 'lqxizr' to find if it's
> >> been
> >> >>>> injected into any other files. Also, checking wp-config.php is a
> good
> >> idea,
> >> >>>> because I've seen old backdoors left inside the file (usually
> >> separated
> >> >>>> above and below the malicious script by several thousand blank
> lines).
> >> >>>> Other hacks I've seen append every front-facing JavaScript with
> >> malicious
> >> >>>> code right instead of going the PHP route. I'd recommend checking
> your
> >> >>>> frontend scripts for anything strange, the time last updated in FTP
> >> may be
> >> >>>> of some help.
> >> >>>> Also, if you can, check the raw access logs for anything
> suspicious.
> >> One
> >> >>>> time I thought my server was clear of shell-like scripts, but after
> >> another
> >> >>>> hack that day the raw access logs showed that one actually just
> >> signed in
> >> >>>> and used the WordPress editor to make the changes.
> >> >>>> I hope this can be of assistance and best of luck,
> >> >>>> Andrew Freeman
> >> >>>>
> >> >>>
> >> >>> --
> >> >>>
> >> >>> Mickey Panayiotakis
> >> >>> Managing Partner
> >> >>> 800.270.5170 x512
> >> >>> <http://www.infamia.com>
> >> >>> _______________________________________________
> >> >>> wp-hackers mailing list
> >> >>> wp-hackers at lists.automattic.com
> >> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> >> _______________________________________________
> >> >> wp-hackers mailing list
> >> >> wp-hackers at lists.automattic.com
> >> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> >>
> >> >>
> >> >
> >> > --
> >> > Phillip Lord,                           Phone: +44 (0) 191 222 7827
> >> > Lecturer in Bioinformatics,             Email:
> >> phillip.lord at newcastle.ac.uk
> >> > School of Computing Science,
> >> http://homepages.cs.ncl.ac.uk/phillip.lord
> >> > Room 914 Claremont Tower,               skype: russet_apples
> >> > Newcastle University,                   msn: msn at russet.org.uk
> >> > NE1 7RU                                 twitter: phillord
> >> > _______________________________________________
> >> > wp-hackers mailing list
> >> > wp-hackers at lists.automattic.com
> >> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >
>
> --
> Phillip Lord,                           Phone: +44 (0) 191 222 7827
> Lecturer in Bioinformatics,             Email:
> phillip.lord at newcastle.ac.uk
> School of Computing Science,
> http://homepages.cs.ncl.ac.uk/phillip.lord
> Room 914 Claremont Tower,               skype: russet_apples
> Newcastle University,                   msn: msn at russet.org.uk
> NE1 7RU                                 twitter: phillord
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list