WordPress Worm?
I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick FAQ.
Are those vulnerabilities valid?
Partially. Of the seven issues raised, one of them could be used to compromise your WordPress 2.2.1 blog under the right circumstances. One of them is already fixed in 2.2.1. The other five issues aren’t vulnerabilities in themselves, as they depend on there being an earlier breach. Even the most severe of the issues isn’t catastrophic, as is requires your unwitting cooperation in order to execute.
Have the vulnerabilities been fixed?
The major vulnerability and the five minor vulnerabilities have been patched in WordPress SVN. The remaining vulnerability is an old vulnerability that doesn’t apply to version 2.2.1.
When will updated versions be released?
Soon. Within the next few days.
What’s this about a “worm”?
Benjamin Flesch created a tool that will use the major vulnerability to take control of your blog and attempt to patch the security vulnerabilities.
Should I run the “worm”?
I wouldn’t. His patches are different from our patches and may have unintended side effects.
Hui. I knew the “Team” would respond like that, but now 2 days are gone and that is a lot of time in the Internet. Nazgul put the Patches into the bugtrack 1 hour after I opened the tickets, so why isnt there a Security patch now?
And in my Eyes, Persistant XSS and SQLInjection *is* critical, even if it needs XSS flaws in order to get them running. XSS is everywhere
Cheers, Benjamin
mybeNi websecurity
August 3, 2007 at 1:31 pm
The major hole was patched within 24 hours, and all the minor ones within 48, so people who are patch/svn savvy are already protected. The official upgrade will be released very soon.
Of course if these vulnerabilities had been first privately disclosed, the script kiddies wouldn’t have had a head start at all.
Regarding the severity of the five other issues: security issues are relative. Relative to a straight-up SQL injection hole or a priviledge escalation hole, XSS is less serious. XSS and SQL injection that require a previous breach are less serious still. The way you worded your post:
… it sounded like you were suggesting that all seven bugs could lead to a successful blog compromise, when in fact one of the bugs was already fixed and of the remaining six only one of them could be used to compromise the blog by itself. I’m not saying they’re unimportant… just that they’re useless without a previous breach, and thus aren’t as critical as the initial XSS breach.
I’m not trying to pick a fight, just put things in perspective for WordPress users and let them know we have fixed the issues in SVN and will be releasing a fix soon. I do appreciate you finding these bugs and letting us know. I just hope that next time you’ll disclose them to us privately, first. Public disclosure of bugs after they are fixed may not generate as much publicity as zero-day exploits, but it is more responsible and courtious to users and developers of the application. security -at- wordpress -dot- org is where you can send security notices.
Mark Jaquith
August 3, 2007 at 10:39 pm
An Appropriate Response
Back in July when I last wrote here, Matt asked:
What exactly do you want us to say?
If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it…
Geof's Relentless Kvetching About WordPress
August 4, 2007 at 9:37 pm
[...] this week gHacks announced a “benevolent” WP fixing worm which Mark Jaquith responded to and let us know that an update to fix the problems was coming. This morning I found out [...]
Security Upgrade to WordPress Released–and easy must upgrade | A View from the Isle
August 5, 2007 at 1:52 pm
[...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]
archGFX | Two Two Two
August 6, 2007 at 9:18 pm
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]
WordPress Wednesday News: WordPress 2.2.2, Competitions End, WordPress Theme Vulnerabilities, and More WordPress News : The Blog Herald
August 8, 2007 at 12:26 am
Mark, The biggest problem with these updates and security issues is perception vs reality. Yes you know that the security flaws are being fixed and hard to crack. But for anyone in a corporate environment they would be very hesitate to adding wordpress because of the security issues (IT folks covering their butts). Maybe some more testing before any new releases. The version currently available works so no great rush for the next version.
Dave
August 8, 2007 at 10:17 am
Will we be seeing a 2.2.2 diff file?
Novac
August 8, 2007 at 3:24 pm
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]
WordPress Wednesday News: Awesome WordPress Plugins in the Weblog Tools Collection Competition, WordPressMU Updated, Theme Security Issues, and More WordPress News : The Blog Herald
August 15, 2007 at 2:50 pm
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this update. ALERT: Blog Security reports a security flaw has been uncovered and [...]
WordPress Wednesday News: Happy Birthday WordPress.com, WordCamps in Beijing and Israel, Censorship in Turkey, and More WordPress News : The Blog Herald
August 22, 2007 at 5:38 pm
[...] I’m weird and like to know about these things, maybe I should just ask Mark Jaquith about it, considering that he was great in discussing the WordPress “worm”. Matt’s probably still busy defending himself against straw men, [...]
An Agreeable Openness « Geof’s Relentless Kvetching About WordPress
August 24, 2007 at 9:20 pm
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
The WordPress Podcast » Episode 28: WordCamp memories, theme hijackers and vulnerabilities
September 1, 2007 at 12:00 pm
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
Only Developers . com » Blog Archive » WordPress Podcast: Episode 28: WordCamp memories, theme hijackers and vulnerabilities
September 16, 2007 at 3:50 am
This year my wife decided to have a dry run thanksgiving day to test out her recipes. We soaked the bird in a brine solution she got at William Sonoma it really kept it moist. OMG, the turkey was so good and I get to do it again in a few days!
retro
November 18, 2007 at 7:39 pm
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
Episode 28: WordCamp memories, theme hijackers and vulnerabilities | Wp Wordpress
December 11, 2007 at 8:43 am
[...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]
archGFX Habari
January 12, 2008 at 1:09 pm
lsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfdasdfsadfdsfdsfdsfdsfafsdf
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjf
asfsdfs
January 19, 2008 at 1:38 am
I think that wordpress doesn’t worm. This is great system!
Gry Logiczne
September 21, 2008 at 10:59 am
Look at my website about photoes, zdjęcia.
zdjęcia
September 24, 2008 at 10:42 am
sehr gute Ideen!
Gira Busch
October 25, 2008 at 4:58 am
habe gleich einiges umgesetzt…
Siteco
October 25, 2008 at 4:59 am
[...] Pages shouldn’t be missed. Double-u 1.0 WordPress Theme is splendid. I found the advice wordpress worm? gratifying. Dynamic Librarian considering a move to wordpress kept me interested. Take a look at [...]
Blog Roundup for the 2nd of August 2007 :: Christopher Ross
October 26, 2008 at 8:43 pm
great job! thx
gry dla dziewczyn
December 1, 2008 at 8:54 am
Here the source code of the worm
http://pastebin.com/f3c5ad549
Simone C.
September 10, 2009 at 12:07 pm