Mark on WordPress

WordPress puts food on my table.

Subscribe to Comments 2.0.4

with 9 comments

I just released Subscribe to Comments 2.0.4 to fix a potential security issue. Thanks to Steven J. Murdoch for bringing this to my attention.

The bug is actually in WordPress 2.0.x (update coming soon) but the way Subscribe to Comments was calculating its security hashes (so other people can’t unsubscribe you), they could be manipulated to make it easier to take advantage of the bug in WordPress.

In order to be vulnerable, the following needs to be true:

  1. WordPress 2.0, 2.0.1, or 2.0.2
  2. User registration on (it is off by default)
  3. WP’s default object cache on (it is off by default in WP 2.0.2)
  4. One of either:
    • Weak MySQL password (i.e. “guessable” by dictionary attack, or blank)
    • Subscribe to Comments 2.0.0-2.0.2

Thankfully, very few WordPress installs will meet these criteria, especially since the WP object cache can only be turned on by editing wp-config.php

Other changes in Subscribe to Comments 2.0.4 include a switch from user levels to capabilities (you need manage_options to have full control of Subscribe to Comments), and several small behind the scenes improvements. Hopefully, you won’t notice that anything has changed!

Written by Mark Jaquith

May 28, 2006 at 2:50 pm

Posted in wordpress

«
»

9 Responses

Subscribe to comments with RSS.

  1. Thanks! But it’s still showing as 2.0.2 in the source / plugin manager. I’m not sure if that means I’ve downloaded the older file again or if you forgot to update the meta data for the plugin…

    Stuart Robertson

    May 30, 2006 at 9:24 am

    Reply

  2. Thanks Stuart…

    That means you got the older version. I made a mistake in the SVN repository. It’s fixed now, and you can download version 2.0.4 here

    Mark Jaquith

    May 30, 2006 at 10:38 am

    Reply

  3. [...] I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by WordPress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading WordPress is still recommended. [...]

    Light Blue Touchpaper » XSS vulnerabilities fixed in Wordpress 2.0.3

    June 2, 2006 at 4:56 am

    Reply

  4. Thanks for the great plugin, was fooled by the 2.0.2 for a sec..

    mo

    June 4, 2006 at 7:25 am

    Reply

  5. [...] Using separately generated cryptographically secure random numbers for cache filename and challenge generation would have resisted both the original and oracle attacks, and is the approach aimed for by both WordPress 2.0.3 and Subscribe to Comments 2.0.4, although PHP does not make it easy to get unpredictable pseudorandom numbers. WordPress also fixed the bug allowing attackers to break out of the PHP comment, but defense in depth is a sensible choice in complex systems. As mentioned last week, upgrading WordPress is strongly recommended. [...]

    Light Blue Touchpaper » Oracle attack on Wordpress

    June 22, 2006 at 8:11 am

    Reply

  6. Thanks for the work on this plug in!
    However I have a problem:
    As soon as I activate version 2.04 of this plug in, it generates
    the following error messages (which appear in the admin/control panel area, and also when you return to the blog and attempt to leave a comment):
    WordPress database error: [Access denied for user 'yscr_bbXXMG'@'localhost' to database 'blog']
    ALTER TABLE wp_comments ADD COLUMN comment_subscribe enum(‘Y’,'N’) NOT NULL default ‘N’
    WordPress database error: [Unknown column 'comment_subscribe' in 'where clause']

    The check box and text for subscribing showed up where you’d expect, and the admin/control panel features of the plugin work fine.
    I am using WP v.2.3 and I’m using the Blix theme.
    I’ve tried logging in as registered users with different roles, same situation.
    Any ideas how to fix this? Thanks!
    Kyle Kosup

    Kyle Kosup

    September 26, 2006 at 2:35 pm

    Reply

  7. Kyle,

    Your MySQL user must lack ALTER privileges. You’re going to need these for WordPress 2.1 anyway, so you should get that fixed.

    Mark Jaquith

    October 2, 2006 at 5:23 am

    Reply

  8. triole beggarwoman indulgentially legislatorial urethrorrhaphy twopenny bewrathed overcram
    WebMediaRx
    http://www.tel-aviv.gov.il/English/

    Russ Figueroa

    April 19, 2008 at 12:11 am

    Reply

  9. I just found this in my log files:
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT ID, post_title, post_date, COUNT(wp_comments.comment_post_ID) AS ‘comment_count’ FROM wp_posts, wp_comments WHERE comment_approved = ‘1′ AND wp_posts.ID=wp_comments.comment_post_ID AND post_status = ‘publish’ GROUP BY wp_comments.comment_post_ID ORDER BY comment_count DESC LIMIT 5 made by wp_get_most_commented_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT * FROM wp_comments WHERE comment_post_ID = 788 AND comment_approved = ‘1′ ORDER BY comment_date made by comments_template
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query DESC wp_comments made by db_upgrade_check
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query ALTER TABLE wp_comments ADD COLUMN comment_subscribe enum(‘Y’,'N’) NOT NULL default ‘N’ made by db_upgrade_check
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘post’ AND (wp_posts.post_status = ‘publish’) ORDER BY wp_posts.post_date DESC LIMIT 0, 8 made by get_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT FOUND_ROWS() made by get_posts
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT t.*, tt.* FROM wp_terms AS t INNER JOIN wp_term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy IN (‘category’) AND tt.count ] 0 ORDER BY t.name ASC made by get_terms
    [Sun Dec 07 12:25:28 2008] [error] [client 84.62.142.158] WordPress database error MySQL server has gone away for query SELECT comment_author, comment_author_url, comment_ID, comment_post_ID FROM wp_comments WHERE comment_approved = ‘1′ ORDER BY comment_date_gmt DESC LIMIT 5 made by wp_widget_recent_comments

    Any idea what this is about?

    Matthias

    December 7, 2008 at 6:40 am

    Reply

Leave a Reply