WordPress Worm?

I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick FAQ.

Are those vulnerabilities valid?

Partially. Of the seven issues raised, one of them could be used to compromise your WordPress 2.2.1 blog under the right circumstances. One of them is already fixed in 2.2.1. The other five issues aren’t vulnerabilities in themselves, as they depend on there being an earlier breach. Even the most severe of the issues isn’t catastrophic, as is requires your unwitting cooperation in order to execute.

Have the vulnerabilities been fixed?

The major vulnerability and the five minor vulnerabilities have been patched in WordPress SVN. The remaining vulnerability is an old vulnerability that doesn’t apply to version 2.2.1.

When will updated versions be released?

Soon. Within the next few days.

What’s this about a “worm”?

Benjamin Flesch created a tool that will use the major vulnerability to take control of your blog and attempt to patch the security vulnerabilities.

Should I run the “worm”?

I wouldn’t. His patches are different from our patches and may have unintended side effects.

25 thoughts on “WordPress Worm?

  1. Hui. I knew the “Team” would respond like that, but now 2 days are gone and that is a lot of time in the Internet. Nazgul put the Patches into the bugtrack 1 hour after I opened the tickets, so why isnt there a Security patch now?

    And in my Eyes, Persistant XSS and SQLInjection *is* critical, even if it needs XSS flaws in order to get them running. XSS is everywhere

    Cheers, Benjamin

  2. The major hole was patched within 24 hours, and all the minor ones within 48, so people who are patch/svn savvy are already protected. The official upgrade will be released very soon.

    Of course if these vulnerabilities had been first privately disclosed, the script kiddies wouldn’t have had a head start at all.

    Regarding the severity of the five other issues: security issues are relative. Relative to a straight-up SQL injection hole or a priviledge escalation hole, XSS is less serious. XSS and SQL injection that require a previous breach are less serious still. The way you worded your post:

    Yesterday, I discovered five seven new WordPress vulnerabilities which may lead to a successful blog compromise under appropriate circumstances

    … it sounded like you were suggesting that all seven bugs could lead to a successful blog compromise, when in fact one of the bugs was already fixed and of the remaining six only one of them could be used to compromise the blog by itself. I’m not saying they’re unimportant… just that they’re useless without a previous breach, and thus aren’t as critical as the initial XSS breach.

    I’m not trying to pick a fight, just put things in perspective for WordPress users and let them know we have fixed the issues in SVN and will be releasing a fix soon. I do appreciate you finding these bugs and letting us know. I just hope that next time you’ll disclose them to us privately, first. Public disclosure of bugs after they are fixed may not generate as much publicity as zero-day exploits, but it is more responsible and courtious to users and developers of the application. security -at- wordpress -dot- org is where you can send security notices.

  3. Mark, The biggest problem with these updates and security issues is perception vs reality. Yes you know that the security flaws are being fixed and hard to crack. But for anyone in a corporate environment they would be very hesitate to adding wordpress because of the security issues (IT folks covering their butts). Maybe some more testing before any new releases. The version currently available works so no great rush for the next version.

  4. This year my wife decided to have a dry run thanksgiving day to test out her recipes. We soaked the bird in a brine solution she got at William Sonoma it really kept it moist. OMG, the turkey was so good and I get to do it again in a few days!

  5. Pingback: archGFX Habari
  6. asfsdfs says:

    lsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfdasdfsadfdsfdsfdsfdsfafsdf
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjf

Comments are closed.