Greenguy's Board - View Single Post

cd34 · 2008-07-24, 10:33 AM

Regrettably, there are some security holes in xmlrpc.php through to 2.5.0. There is one in 2.5.1, but, noone has captured it, so, wordpress disabled remote publishing through xmlrpc for new installs in 2.6.

here's a hack that involves wordpress sites up through 2.5.1. View source on one of the resulting sites and search for kvantservice. While we've not been able to capture how this particular hack was done, I still believe there is a hole in 2.5.1 (and 2.6 since they made no changes to xmlrpc other than to turn off remote publishing for new installs, I don't believe 2.6 is secure if you use wordpress for the iphone or any of their desktop publishing widgets. I believe the kvantservice attack happened through a google scan to find wordpress sites, it then read the post from the front page (possibly even the google cache) to get the post id, then forced its update through xmlrpc. The reason we think they looked at the front page only is because almost every republished post breaks at the More... marker. which sort of proves they didn't read the entire post.

The site running 1.5 might be running WPMU -- its version numbers haven't kept up with the personal version and their current WPMU is 1.5.1

The problem that one particular client and I have been having with wordpress is that security updates are not kept separate from feature upgrades. And those feature upgrades almost always break functionality or remove features to make the product simpler. The permalink error is just one of many. Another irritating addon is revisions. Every time a post is kept, the revision is kept. Because they save that revision in the post table, and, that table is poorly indexed and the queries against it are poorly written, a blog with 10000 posts, each with a revision or two because you cleaned up typographic quotes, becomes a blog with 40000 posts. Their initial version of revisions kept the revisions in a separate table. Around the 4th prerelease of 2.6, it was put in the main wp_posts table.

If I were to settle on a version, I think I would settle on 2.5.1 because that xmlrpc bug doesn't seem to be well known and I've only seen it hit a few times. The bug on 2.3 is rather rampant and I have the xml payload that can exploit that. Wordpress has closed that vulnerability in 2.4. The exploit script is publicly available on many different hacker boards.

2008-07-24, 10:33 AM	#11
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Regrettably, there are some security holes in xmlrpc.php through to 2.5.0. There is one in 2.5.1, but, noone has captured it, so, wordpress disabled remote publishing through xmlrpc for new installs in 2.6. here's a hack that involves wordpress sites up through 2.5.1. View source on one of the resulting sites and search for kvantservice. While we've not been able to capture how this particular hack was done, I still believe there is a hole in 2.5.1 (and 2.6 since they made no changes to xmlrpc other than to turn off remote publishing for new installs, I don't believe 2.6 is secure if you use wordpress for the iphone or any of their desktop publishing widgets. I believe the kvantservice attack happened through a google scan to find wordpress sites, it then read the post from the front page (possibly even the google cache) to get the post id, then forced its update through xmlrpc. The reason we think they looked at the front page only is because almost every republished post breaks at the More... marker. which sort of proves they didn't read the entire post. The site running 1.5 might be running WPMU -- its version numbers haven't kept up with the personal version and their current WPMU is 1.5.1 The problem that one particular client and I have been having with wordpress is that security updates are not kept separate from feature upgrades. And those feature upgrades almost always break functionality or remove features to make the product simpler. The permalink error is just one of many. Another irritating addon is revisions. Every time a post is kept, the revision is kept. Because they save that revision in the post table, and, that table is poorly indexed and the queries against it are poorly written, a blog with 10000 posts, each with a revision or two because you cleaned up typographic quotes, becomes a blog with 40000 posts. Their initial version of revisions kept the revisions in a separate table. Around the 4th prerelease of 2.6, it was put in the main wp_posts table. If I were to settle on a version, I think I would settle on 2.5.1 because that xmlrpc bug doesn't seem to be well known and I've only seen it hit a few times. The bug on 2.3 is rather rampant and I have the xml payload that can exploit that. Wordpress has closed that vulnerability in 2.4. The exploit script is publicly available on many different hacker boards. __________________ SnapReplay.com a different way to share photos - iPhone & Android