Subscribe to Comments 2.0.4
I just released Subscribe to Comments 2.0.4 to fix a potential security issue. Thanks to Steven J. Murdoch for bringing this to my attention.
The bug is actually in WordPress 2.0.x (update coming soon) but the way Subscribe to Comments was calculating its security hashes (so other people can’t unsubscribe you), they could be manipulated to make it easier to take advantage of the bug in WordPress.
In order to be vulnerable, the following needs to be true:
- WordPress 2.0, 2.0.1, or 2.0.2
- User registration on (it is off by default)
- WP’s default object cache on (it is off by default in WP 2.0.2)
- One of either:
- Weak MySQL password (i.e. “guessable” by dictionary attack, or blank)
- Subscribe to Comments 2.0.0-2.0.2
Thankfully, very few WordPress installs will meet these criteria, especially since the WP object cache can only be turned on by editing wp-config.php
Other changes in Subscribe to Comments 2.0.4 include a switch from user levels to capabilities (you need manage_options to have full control of Subscribe to Comments), and several small behind the scenes improvements. Hopefully, you won’t notice that anything has changed!
Thanks! But it’s still showing as 2.0.2 in the source / plugin manager. I’m not sure if that means I’ve downloaded the older file again or if you forgot to update the meta data for the plugin…
Thanks Stuart…
That means you got the older version. I made a mistake in the SVN repository. It’s fixed now, and you can download version 2.0.4 here
[...] I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by WordPress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading WordPress is still recommended. [...]
Thanks for the great plugin, was fooled by the 2.0.2 for a sec..
[...] Using separately generated cryptographically secure random numbers for cache filename and challenge generation would have resisted both the original and oracle attacks, and is the approach aimed for by both WordPress 2.0.3 and Subscribe to Comments 2.0.4, although PHP does not make it easy to get unpredictable pseudorandom numbers. WordPress also fixed the bug allowing attackers to break out of the PHP comment, but defense in depth is a sensible choice in complex systems. As mentioned last week, upgrading WordPress is strongly recommended. [...]
Thanks for the work on this plug in!
However I have a problem:
As soon as I activate version 2.04 of this plug in, it generates
the following error messages (which appear in the admin/control panel area, and also when you return to the blog and attempt to leave a comment):
WordPress database error: [Access denied for user 'yscr_bbXXMG'@'localhost' to database 'blog']
ALTER TABLE wp_comments ADD COLUMN comment_subscribe enum(’Y',’N') NOT NULL default ‘N’
WordPress database error: [Unknown column 'comment_subscribe' in 'where clause']
The check box and text for subscribing showed up where you’d expect, and the admin/control panel features of the plugin work fine.
I am using WP v.2.3 and I’m using the Blix theme.
I’ve tried logging in as registered users with different roles, same situation.
Any ideas how to fix this? Thanks!
Kyle Kosup
Kyle,
Your MySQL user must lack ALTER privileges. You’re going to need these for WordPress 2.1 anyway, so you should get that fixed.
triole beggarwoman indulgentially legislatorial urethrorrhaphy twopenny bewrathed overcram
WebMediaRx
http://www.tel-aviv.gov.il/English/