[wp-hackers] WordPress security question
Mika A Epstein
ipstenu at ipstenu.org
Thu Jun 7 13:19:42 UTC 2012
Semantics. There are no themes in Extend that use timthumb as of whenever that happened. If you use a theme that is currently supported in extend, and you updated, you're safe.
Maybe themes should talk to Nacin about how he wrangled plugins to provide a fake update "Hi! This is malware! Don't use it." But that borders on some shenanigans. Theme repo blog could list all the themes that were removed for exploits? Hard to manage.
On Jun 7, 2012, at 8:08 AM, phillip.lord at newcastle.ac.uk (Phillip Lord) wrote:
>
>
> Yes, this is exactly my point. It's possible to draw the conclusion from
> the statement that "there are no themes in Extend that use timthumb"
> that "as I got my theme from extend, I cannot get hacked through a
> timthumb exploit". The former may be true, the latter is not.
>
> WPMU2 == wordpress multi-user version 2 which has merged with
> WP3 or Wordpress 3.
>
> In the ideal world, updates would just happen. The rest of my OS
> updates, but because I develop against Wordpress, I've not managed to
> achieve this with wordpress itself.
>
> Phil
>
> Chip Bennett <chip at chipbennett.net> writes:
>
>> There are no *active* Themes in Extend that use TimThumb. All that were
>> found were suspended. Since some time ago, Themes using TimThumb have been
>> blocked from even being uploaded to Extend.
>>
>> That said: we have no way of notifying users that they may be using
>> vulnerable code. As much as we would love to provide such notifications to
>> users (be it for TimThumb, or merely for obsolete Themes/code), we have no
>> way to do so. It is a limitation of the update/notification system that is
>> well outside of our scope/control. Either the Theme developer would have to
>> release an update to Extend, or else the user would have to switch Themes
>> on his own.
>>
>> Chip
>>
>> p.s. what are "WPMU2" and "WP3"?
>>
>> On Wed, Jun 6, 2012 at 9:59 AM, Mika A Epstein <ipstenu at ipstenu.org> wrote:
>>
>>> I didn't say it was never allowed :) it was, once, allowed. All themes
>>> have been updated (or removed).
>>>
>>> As Helen rightly pointed out, you do get theme update notifications. You
>>> don't for deleted ones, but I'm assuming (hoping?) the theme review folks
>>> did some sort of update? If not, yes, there are some folks with
>>> no-longer-approved themes out there, but this was pretty well posted and
>>> reported. Due dilligenece has been done. Can't make people change their
>>> oil, but the car can beep at you a lot :)
>>>
>>>
>>>
>>> On Jun 6, 2012, at 9:08 AM, phillip.lord at newcastle.ac.uk (Phillip Lord)
>>> wrote:
>>>
>>>>
>>>> Unfortunately, this this is not quite true. It may be that it is not
>>>> allowed now, but this doesn't mean that it was never allowed.
>>>>
>>>> What I never understood with Wordpress is why plugins have update
>>>> notification, while themes do not. I was one of the many who get
>>>> zero-day exploited through timthumb. The theme in question (suffusion)
>>>> had removed timthumb quite a long time before but, of course, we got no
>>>> update notifications, so we had not updated. More fool me, you might say.
>>>> Well, yes, true. Also more fool many of the other thousands who got
>>>> hacked.
>>>>
>>>> Combined with an largely undocumented schema change between WPMU-2 and
>>>> WP-3 which made the restoration from backup a long, long process. I was
>>>> thinking 2 or 3 hours (including VM set up), but it took 2 or 3 days.
>>>>
>>>> Phil
>>>>
>>>> Mika A Epstein <ipstenu at ipstenu.org> writes:
>>>>
>>>>> TimThumb is not a part of core, nor is it allowed in themes hosted on
>>>>> the WP theme repo (as of the last time I looked).
>>>>>
>>>>>
>>>>>
>>>>> On Jun 5, 2012, at 7:50 AM, Mickey Panayiotakis <mickey at infamia.com>
>>> wrote:
>>>>>
>>>>>> I've seen plenty of hacks based on timthumb vulnerabilities.
>>>>>> However, I don't think wordpress core uses timthumb. (I'm sure the
>>> group
>>>>>> will correct me here, which I invite.)
>>>>>>
>>>>>> The user is left to fend on their own when using a free or commercial
>>>>>> theme, to a lesser or greater extent depending on the theme vendor.
>>> Some
>>>>>> themes do a great job of providing updates and alerting the user to
>>> theme
>>>>>> and framework udpates (and thanks to WP3 we can see that in the usual
>>>>>> updates area). The problem is that when you customize a theme, updates
>>>>>> become more visible.
>>>>>>
>>>>>> One of the most disturbing bits of advice I heard recently is that if
>>> you
>>>>>> use a custom theme, you shouldn't update wordpress. I'm sure what the
>>>>>> speaker meant was to work with your vendor to make sure that WP and all
>>>>>> plugins and themes stay up to date.
>>>>>>
>>>>>> mickey
>>>>>>
>>>>>>
>>>>>>> Message: 1
>>>>>>> Date: Mon, 4 Jun 2012 19:50:39 -0700
>>>>>>> From: Andrew Freeman <andrew.s.freeman at gmail.com>
>>>>>>> Subject: Re: [wp-hackers] WordPress security question (Dan Phiffer)
>>>>>>> To: wp-hackers at lists.automattic.com
>>>>>>> Message-ID:
>>>>>>> <
>>> CALT+zmKFuBXUXjH2F8NYaYp0FHHdvdkvQe9xyvkec6dN5S7D1g at mail.gmail.com
>>>>>>>>
>>>>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>>>> Howdy Dan,
>>>>>>> Having cleaned up about a half-dozen sites in the past two months or
>>> so, I
>>>>>>> have some suggestions for things to look for in terms of
>>>>>>> backdoors/potential vulnerabilities.
>>>>>>> Most hacks I've seen come from a vulnerable Timthumb hack, an old
>>> image
>>>>>>> thumbnail script which allowed an attacker to upload malicious code
>>> to the
>>>>>>> server, giving them full shell access (or at least as much as
>>> Apache/PHP/WP
>>>>>>> has). You can read technical details about it here:
>>>>>>>
>>>>>>>
>>> http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
>>>>>>> You can use the Timthumb Vulnerability Scanner to quickly see if you
>>> have
>>>>>>> any outdated versions of the script lying around:
>>>>>>> http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/. Even
>>>>>>> an unused theme with the old version of the script is vulnerable.
>>>>>>> Most hacks definitely add crazy base64_decode script to the header of
>>>>>>> important files - often index.php of site root or theme root. This one
>>>>>>> looks like it gets around base64_decode which makes it harder to
>>> detect. If
>>>>>>> you can, ssh into the server and grep for 'lqxizr' to find if it's
>>> been
>>>>>>> injected into any other files. Also, checking wp-config.php is a good
>>> idea,
>>>>>>> because I've seen old backdoors left inside the file (usually
>>> separated
>>>>>>> above and below the malicious script by several thousand blank lines).
>>>>>>> Other hacks I've seen append every front-facing JavaScript with
>>> malicious
>>>>>>> code right instead of going the PHP route. I'd recommend checking your
>>>>>>> frontend scripts for anything strange, the time last updated in FTP
>>> may be
>>>>>>> of some help.
>>>>>>> Also, if you can, check the raw access logs for anything suspicious.
>>> One
>>>>>>> time I thought my server was clear of shell-like scripts, but after
>>> another
>>>>>>> hack that day the raw access logs showed that one actually just
>>> signed in
>>>>>>> and used the WordPress editor to make the changes.
>>>>>>> I hope this can be of assistance and best of luck,
>>>>>>> Andrew Freeman
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Mickey Panayiotakis
>>>>>> Managing Partner
>>>>>> 800.270.5170 x512
>>>>>> <http://www.infamia.com>
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>>>
>>>>
>>>> --
>>>> Phillip Lord, Phone: +44 (0) 191 222 7827
>>>> Lecturer in Bioinformatics, Email:
>>> phillip.lord at newcastle.ac.uk
>>>> School of Computing Science,
>>> http://homepages.cs.ncl.ac.uk/phillip.lord
>>>> Room 914 Claremont Tower, skype: russet_apples
>>>> Newcastle University, msn: msn at russet.org.uk
>>>> NE1 7RU twitter: phillord
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>
> --
> Phillip Lord, Phone: +44 (0) 191 222 7827
> Lecturer in Bioinformatics, Email: phillip.lord at newcastle.ac.uk
> School of Computing Science, http://homepages.cs.ncl.ac.uk/phillip.lord
> Room 914 Claremont Tower, skype: russet_apples
> Newcastle University, msn: msn at russet.org.uk
> NE1 7RU twitter: phillord
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list