WordPress Worm?
I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick FAQ.
Are those vulnerabilities valid?
Partially. Of the seven issues raised, one of them could be used to compromise your WordPress 2.2.1 blog under the right circumstances. One of them is already fixed in 2.2.1. The other five issues aren’t vulnerabilities in themselves, as they depend on there being an earlier breach. Even the most severe of the issues isn’t catastrophic, as is requires your unwitting cooperation in order to execute.
Have the vulnerabilities been fixed?
The major vulnerability and the five minor vulnerabilities have been patched in WordPress SVN. The remaining vulnerability is an old vulnerability that doesn’t apply to version 2.2.1.
When will updated versions be released?
Soon. Within the next few days.
What’s this about a “worm”?
Benjamin Flesch created a tool that will use the major vulnerability to take control of your blog and attempt to patch the security vulnerabilities.
Should I run the “worm”?
I wouldn’t. His patches are different from our patches and may have unintended side effects.
Hui. I knew the “Team” would respond like that, but now 2 days are gone and that is a lot of time in the Internet. Nazgul put the Patches into the bugtrack 1 hour after I opened the tickets, so why isnt there a Security patch now?
And in my Eyes, Persistant XSS and SQLInjection *is* critical, even if it needs XSS flaws in order to get them running. XSS is everywhere
Cheers, Benjamin
The major hole was patched within 24 hours, and all the minor ones within 48, so people who are patch/svn savvy are already protected. The official upgrade will be released very soon.
Of course if these vulnerabilities had been first privately disclosed, the script kiddies wouldn’t have had a head start at all.
Regarding the severity of the five other issues: security issues are relative. Relative to a straight-up SQL injection hole or a priviledge escalation hole, XSS is less serious. XSS and SQL injection that require a previous breach are less serious still. The way you worded your post:
… it sounded like you were suggesting that all seven bugs could lead to a successful blog compromise, when in fact one of the bugs was already fixed and of the remaining six only one of them could be used to compromise the blog by itself. I’m not saying they’re unimportant… just that they’re useless without a previous breach, and thus aren’t as critical as the initial XSS breach.
I’m not trying to pick a fight, just put things in perspective for WordPress users and let them know we have fixed the issues in SVN and will be releasing a fix soon. I do appreciate you finding these bugs and letting us know. I just hope that next time you’ll disclose them to us privately, first. Public disclosure of bugs after they are fixed may not generate as much publicity as zero-day exploits, but it is more responsible and courtious to users and developers of the application. security -at- wordpress -dot- org is where you can send security notices.
An Appropriate Response
Back in July when I last wrote here, Matt asked:
What exactly do you want us to say?
If it’s important, then we’re working as fast as we can to get a release out and promote the heck out of it. (Think 2.1.1.) If we consider it low priority, then it…
[...] this week gHacks announced a “benevolent” WP fixing worm which Mark Jaquith responded to and let us know that an update to fix the problems was coming. This morning I found out [...]
[...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]
Mark, The biggest problem with these updates and security issues is perception vs reality. Yes you know that the security flaws are being fixed and hard to crack. But for anyone in a corporate environment they would be very hesitate to adding wordpress because of the security issues (IT folks covering their butts). Maybe some more testing before any new releases. The version currently available works so no great rush for the next version.
Will we be seeing a 2.2.2 diff file?
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this [...]
[...] are security-related upgrades, thus are mandatory upgrades for all full version WordPress users. Mark Jaquith reports on some of the security issues covered by this update. ALERT: Blog Security reports a security flaw has been uncovered and [...]
[...] I’m weird and like to know about these things, maybe I should just ask Mark Jaquith about it, considering that he was great in discussing the WordPress “worm”. Matt’s probably still busy defending himself against straw men, [...]
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
This year my wife decided to have a dry run thanksgiving day to test out her recipes. We soaked the bird in a brine solution she got at William Sonoma it really kept it moist. OMG, the turkey was so good and I get to do it again in a few days!
[...] Jaquith answers a charge of 7 security vulnerabilities in WordPress [...]
http://www.google.com
http://www.yahoo.com
http://www.msn.com
[...] 2.2.2 is out. It is a mandatory security upgrade. Stop reading and go [...]
lsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfdasdfsadfdsfdsfdsfdsfafsdf
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjflsjdfkalsdffjkldsljkfsdjklfdsfjkldsjdkflsjdlksfdsfjlkfjdlkssdfjkldsfljksjlfkdjlkdsfljkfdljksfdljkfdssjlfkdjslkfdjlkfsjklsfda
asdflkjf