Mark on WordPress

WordPress puts food on my table.

WordPress Worm?

with 24 comments

I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick FAQ.

Are those vulnerabilities valid?

Partially. Of the seven issues raised, one of them could be used to compromise your WordPress 2.2.1 blog under the right circumstances. One of them is already fixed in 2.2.1. The other five issues aren’t vulnerabilities in themselves, as they depend on there being an earlier breach. Even the most severe of the issues isn’t catastrophic, as is requires your unwitting cooperation in order to execute.

Have the vulnerabilities been fixed?

The major vulnerability and the five minor vulnerabilities have been patched in WordPress SVN. The remaining vulnerability is an old vulnerability that doesn’t apply to version 2.2.1.

When will updated versions be released?

Soon. Within the next few days.

What’s this about a “worm”?

Benjamin Flesch created a tool that will use the major vulnerability to take control of your blog and attempt to patch the security vulnerabilities.

Should I run the “worm”?

I wouldn’t. His patches are different from our patches and may have unintended side effects.

Written by Mark Jaquith

August 2, 2007 at 5:28 pm

Posted in security, wordpress

24 Responses

Subscribe to comments with RSS.

  1. Hui. I knew the “Team” would respond like that, but now 2 days are gone and that is a lot of time in the Internet. Nazgul put the Patches into the bugtrack 1 hour after I opened the tickets, so why isnt there a Security patch now?

    And in my Eyes, Persistant XSS and SQLInjection *is* critical, even if it needs XSS flaws in order to get them running. XSS is everywhere

    Cheers, Benjamin

    mybeNi websecurity

    August 3, 2007 at 1:31 pm

  2. The major hole was patched within 24 hours, and all the minor ones within 48, so people who are patch/svn savvy are already protected. The official upgrade will be released very soon.

    Of course if these vulnerabilities had been first privately disclosed, the script kiddies wouldn’t have had a head start at all.

    Regarding the severity of the five other issues: security issues are relative. Relative to a straight-up SQL injection hole or a priviledge escalation hole, XSS is less serious. XSS and SQL injection that require a previous breach are less serious still. The way you worded your post:

    Yesterday, I discovered five seven new WordPress vulnerabilities which may lead to a successful blog compromise under appropriate circumstances

    … it sounded like you were suggesting that all seven bugs could lead to a successful blog compromise, when in fact one of the bugs was already fixed and of the remaining six only one of them could be used to compromise the blog by itself. I’m not saying they’re unimportant… just that they’re useless without a previous breach, and thus aren’t as critical as the initial XSS breach.

    I’m not trying to pick a fight, just put things in perspective for WordPress users and let them know we have fixed the issues in SVN and will be releasing a fix soon. I do appreciate you finding these bugs and letting us know. I just hope that next time you’ll disclose them to us privately, first. Public disclosure of bugs after they are fixed may not generate as much publicity as zero-day exploits, but it is more responsible and courtious to users and developers of the application. security -at- wordpress -dot- org is where you can send security notices.

    Mark Jaquith

    August 3, 2007 at 10:39 pm

  3. An Appropriate Response

    Back in July when I last wrote here, Matt asked:
    What exactly do you want us to say?
    If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it…

  4. [...] this week gHacks announced a “benevolent” WP fixing worm which Mark Jaquith responded to and let us know that an update to fix the problems was coming.  This morning I found out [...]

  5. [...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]

    archGFX | Two Two Two

    August 6, 2007 at 9:18 pm

  6. [...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]

  7. Mark, The biggest problem with these updates and security issues is perception vs reality. Yes you know that the security flaws are being fixed and hard to crack. But for anyone in a corporate environment they would be very hesitate to adding wordpress because of the security issues (IT folks covering their butts). Maybe some more testing before any new releases. The version currently available works so no great rush for the next version.

    Dave

    August 8, 2007 at 10:17 am

  8. Will we be seeing a 2.2.2 diff file?

    Novac

    August 8, 2007 at 3:24 pm

  9. [...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]

  10. [...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this update. ALERT: Blog Security reports a security flaw has been uncovered and [...]

  11. [...] I’m weird and like to know about these things, maybe I should just ask Mark Jaquith about it, considering that he was great in discussing the WordPress “worm”. Matt’s probably still busy defending himself against straw men, [...]

  12. [...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]

  13. [...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]

  14. This year my wife decided to have a dry run thanksgiving day to test out her recipes. We soaked the bird in a brine solution she got at William Sonoma it really kept it moist. OMG, the turkey was so good and I get to do it again in a few days!

    retro

    November 18, 2007 at 7:39 pm

  15. [...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]

  16. [...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]

    archGFX Habari

    January 12, 2008 at 1:09 pm

  17. lsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfdasdfsadfdsfdsfdsfdsfafsdf
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
    asdflkjf

    asfsdfs

    January 19, 2008 at 1:38 am

  18. I think that wordpress doesn’t worm. This is great system!

    Gry Logiczne

    September 21, 2008 at 10:59 am

  19. Look at my website about photoes, zdjęcia.

    zdjęcia

    September 24, 2008 at 10:42 am

  20. sehr gute Ideen!

    Gira Busch

    October 25, 2008 at 4:58 am

  21. habe gleich einiges umgesetzt…

    Siteco

    October 25, 2008 at 4:59 am

  22. [...] Pages shouldn’t be missed. Double-u 1.0 WordPress Theme is splendid. I found the advice wordpress worm? gratifying. Dynamic Librarian considering a move to wordpress kept me interested. Take a look at [...]

  23. great job! thx :)

    gry dla dziewczyn

    December 1, 2008 at 8:54 am

  24. Here the source code of the worm
    http://pastebin.com/f3c5ad549

    Simone C.

    September 10, 2009 at 12:07 pm


Leave a Reply