October 21, 2014

WordPress 3.5.1 released to fix bugs and security vulnerabilities

wordpress logo(LiveHacking.Com) – WordPress 3.5.1 has been released with 37 bug fixes and three patches for three security issues. Two of the issues fixed where related to cross-site scripting vulnerabilities while the other was a server-side request forgery vulnerability. The full details are as follows:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

The WordPress team passed on its thanks to  security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing the fix to the  server-side request forgery vulnerability.

Of the 37 bugs fixed, the WordPress team highlighted the following fixes

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

You can download WordPress 3.5.1 from here or click on Dashboard → Updates in your site admin section to update automatically.

Security Update for WordPress 3.3

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Millions of WordPress Sites Exposing Potentially Private Photos Due to Misconfiguration

(LiveHacking.Com) – A security researcher has discovered that millions of web sites which run on the popular WordPress blogging plaform are exposing potentially private photos and images due to misconfiguration and a privacy vulnerability in the NextGEN Gallery plugin. The problem is that the NextGEN Gallery plugin allows unrestricted HTTP browsing of its ‘gallery’ directory and so exposes all the photos which have been uploaded to the blog but not necessarily published via the plugin.

To access the gallery the following URL is used http://www.example.com/wp-content/gallery/ where example.com is the domain name of the WordPress site. Variations of this could be http://blog.example.com/wp-content/gallery/ or http://www.example.com/blog/wp-content/gallery/ depending where WordPress has been installed.

A search engine can also be used to find vulnerable sites by using the following search inurl:”/wp-content/gallery/”. Google returns over 7 millions results for this search. A alternative search is: “Index of /wp-content/gallery” which returns over 3 million results.

The impact of this vulnerability is that photos and images are being exposed which the system administrator has not published. Secondly there are privacy issues with the search engines crawling sections of web sites which the admins thought had remained private.

There are however some workarounds which I recommend every WordPress / NextGEN Gallery site use:

  1. Add the following lines to WordPress .htaccess to prevent directory browsing:
    # Disable Directory Browsing
    Options All -Indexes
  2. Create an empty file with the name of index.html or index.php and save it in http://www.example.com/wp-content/gallery/
  3. Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/.

At this time US-CERT has been notified along with the plugin author. According to the statistics on the WordPress site, NextGEN Gallery has been downloaded over 4.5 million times.

WordPress 3.3 Patched to Fix Cross-Site Scripting Vulnerability

(LiveHacking.Com) – WordPress 3.3.1 has been released to fix a Cross-Site Scripting (XSS) vulnerability discovered by  security researchers, Aditya Modha & Samir Shah. As well as fixing the XSS problem, 3.3.1 fixes 15 issues with WordPress 3.3. Once the vulnerability was made public other researchers tried to test the vulnerability but without success. It transpires that if WordPress is installed using an IP address the vulnerability is exploitable. If however, like many people, WordPress is installed via a domain name, the site isn’t vulnerable. This is because of some logic with the WordPress codebase which treats urls differently depending on whether WP_SITEURL is set or unset.

The WordPress team mentioned thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K. and the Go Daddy security team for responsibly disclosing the bug to the WordPress security team.

WordPress 3.3.1 can be downloaded from here or use Dashboard → Updates in your site admin.

Non-updated Versions of TimThumb Still Causing Problems for WordPress

(LiveHacking.Com) – Nearly three months ago it was discovered that TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an infected site.

By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections that are exploiting non-updated versions of TimThumb.

Researchers from AVAST were contacted with relation to the blog theJournal.fr, the online site for The Poitou-Charentes Journal, which had been infected. According to AVAST. the Poitou-Charentes Journal is just one part of a much bigger attack.

The compromised sites where infected with the Blackhole Toolkit, a set of malware tools available on the black market for around $1500. AVAST have spotted 151,000 hits to one of the locations where this exploit redirects users. AVAST estimates that anywhere up to 3,500 sites have been infected.

More details about the surge in infections can be found here and details of the Blockhole Toolkit can be found on AVAST’s blog here.

Google Images Poisoned by Hacked WordPress Blogs

(LiveHacking.Com) – Russian security researcher Denis Sinegubko has posted details of 4,358 WordPress blogs that are poisoning Google Images to insert doorway pages that redirect visitors to fake anti virus sites.

These doorway pages replace the original content with twenty or so “thumbnails” and short text snippets relevant to different keyword searches. Subsequently they are picked up by Google’s spiders and can rank quite well for some keywords both in Google Web search and Google Images search. The malicious redirects occur only when users click on Google Images search results. The redirects take the users to a landing pages that pushes a fake anti-virus tool.

The details where posted on the Unmask Parasites blog. Unmask Parasites is an online web site security service that helps reveal hidden content that hackers have inserted into web pages.

Denis goes on to give some good advice to webmasters:

  1. Regularly check statistics for suspicious requests.
  2. Check Google Webmaster Tools for suspicious search queries and indexed pages.
  3. Make sure your WordPress is up-to-date.

Vulnerability Discovered in WordPress Themes That Use TimThumb

(LiveHacking.Com) – TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an affected site.

The problem is that the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

All WordPress administrators are advised to:

  • determine if any hosted blogs use TimThumb by searching for timthumb.php or thumb.php
  • review the blog entry on the issue and apply any necessary updates or workarounds to help mitigate the risks

Mark Maunder, who found the vulnerability, has posted technical details of the hack here.

Security Update: WordPress 3.1.4. Released

The WordPress team has released WordPress 3.1.4. This release is a security update for all previous WordPress versions.

This new release fixes a security issue that could allow an intruder in Editor-level user to gain further access to the site. The vulnerability has been discovered by K. Gudinavicius and reported to the WordPress development team.

Also include in WordPress version 3.1.4 other security fixes and hardening measures.

List of Files Revised

  • readme.html
  • wp-settings.php
  • wp-includes/taxonomy.php
  • wp-includes/post.php
  • wp-includes/version.php
  • wp-includes/bookmark.php
  • wp-includes/wp-db.php
  • wp-includes/formatting.php
  • wp-includes/script-loader.php
  • wp-content/themes/twentyten/languages/twentyten.pot
  • wp-admin/includes/post.php
  • wp-admin/includes/deprecated.php
  • wp-admin/includes/update-core.php
  • wp-admin/includes/media.php
  • wp-admin/js/user-profile.dev.js
  • wp-admin/js/user-profile.js
  • wp-admin/custom-header.php
  • wp-admin/options-general.php

All WordPress website administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.1.4 directly.

WordPress.org Force-resets All Passwords

WordPress.org has come under an unusual attack where hackers have attempted to upload new version of popular WordPress plugins with cleverly disguised backdoors. Once the WordPress team noticed these suspicious commits they rolled back the affected plugins, told the authors and shut down access to the plugin repository to check for anything else unsavory.

As a preventive measure the WordPress team have decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (This also applies to bbPress.org and BuddyPress.org.)

Any users of AddThisWPtouch, or W3 Total Cache should upgrade each to the latest version to ensure you are not running a hacked version.

WordPress 3.1.2 Closes Unauthorized Posting Hole

A security update to WordPress 3.1 has  been released to address a vulnerability that allowed Contributor-level users to improperly publish posts. The problem is to do with the “press this” bookmarklet and a lack of validation on the rights of the user submitting the post. The problem was found by WordPress’ Andrew Nacin working with Benjamin Balter. Wordpress recommend an immediate update to 3.1.2, especially if you allow users to register as contributors or if you have untrusted users.

This release also fixes a few bugs that didn’t make it into 3.1.1:

  • Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710)
  • Fix user queries ordered by post count. (#17123)
  • Fix multiple tag queries. (#17054)
  • Prevent over-escaping of post titles when using Quick Edit for pages. (#17218)

You can download 3.1.2 from here or update automatically from the Dashboard → Updates menu in your site’s admin area.