Is WordPress Insecure by Design?

Ouch. So much for upgrading to WordPress 2.5 for a secure version of WordPress.

While the shift is going in the right direction it might not fully fix the problem now that this exploit is known. (thanks to Ian for pointing this out).

WordPress is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

WordPress 2.5 is vulnerable; other versions may also be affected.

… and check out the infected versions:

WordPress WordPress 2.3.1
WordPress WordPress 2.2.3
WordPress WordPress 2.2.2
WordPress WordPress 2.2.1
WordPress WordPress 2.2.1
WordPress WordPress 2.1.3
WordPress WordPress 2.1.3
WordPress WordPress 2.1.2
WordPress WordPress 2.1.1
WordPress WordPress 2.0.10
WordPress WordPress 2.0.7
WordPress WordPress 2.0.6
WordPress WordPress 2.0.5
WordPress WordPress 2.0.4
WordPress WordPress 2.0.3
WordPress WordPress 2.0.2
WordPress WordPress 2.0.1
WordPress WordPress 2.0
WordPress WordPress 2.5
WordPress WordPress 2.3
WordPress WordPress 2.2 Revision 5003
WordPress WordPress 2.2 Revision 5002
WordPress WordPress 2.2
WordPress WordPress 2.1.3-RC2
WordPress WordPress 2.1.3-RC1
WordPress WordPress 2.1
WordPress WordPress 2.0.10-RC2
WordPress WordPress 2.0.10-RC1


  1. Kevin, you know better than this. Could you point to one piece of valid information in that report? We certainly haven’t found any, or gotten anything to our security address. There are no details, no exploit information except “Attackers can use a browser to exploit these issues.” The only thing they spent any time on is the version list, which bizarrely includes two SVN revisions and a few RCs? I’m surprised Security Focus allows content-free postings like that.

  2. Hey Matt.

    Sorry for the late reply. I was hiking most of today..

    I posted this for two reasons.

    1. SQL injection is a common attack that we’re seeing more and more of with no end in sight.

    2. There hasn’t been any information from WordPress about whether 2.5 fixes the problems we’re seeing with all the WordPress spam that’s going on.

    Upgrades to 2.5 have been recommended but there’s no guarantee that this actually fixes the problem.

    In fact, I really think with you guys should address this head on and throw more resources at it. An official blog post about the issue followed by point releases for earlier versions of WordPress (with security patches) as well as a status update as to the vulnerability (or lack thereof) would be greatly appreciated.

    Thanks.

    Kevin

  3. As someone with a security background, I would expect more of a critical eye when evaluating reported vulnerabilities, especially when you know how much crap and snake oil there is out there. The “report” you link to contains no actually information, so by suggesting that a support indicates a problem in 2.5 you’re spreading sensationalism, fear, uncertainty, and doubt.

    As for the spam issues, if the problems were single-fold we could say a single thing fixes it. However in what we’ve seen it can be caused by a number of things:

    1. Weak passwords or compromised accounts from old versions. It doesn’t matter if you’re on 2.5 if they got your username/password.
    2. Insecure hosting permissions and other accounts being compromised. There could be someone running an old PhpBB on the same server and they simply scan for all DB connect files, footer.php, and such on the server and change them all.
    3. Old, insecure versions of WP, especially if they have open registration or other insecure settings. The only two officially supported versions right now are 2.0 and 2.5.
    4. Phishing (fairly rare right now).

    What you and Ian are seeing is a very small slice of the problem because many of the spammers have their code show only to Google, so unless you spoof Googlebot you won’t see it. I think long-term contacting bloggers and helping them upgrade or move to a host that does it for them is a great idea, and also working with web hosts who can address the problems for thousands of accounts at once. (The problems cluster on web hosts with insecure permissions, because it only takes one account to own every blog on the server.) I also think providing public lists of compromised blogs and also the domains that are being promoted by the hidden links would be helpful. When people contact us we help them log the attacks and analyze what the problem is, and if it’s applicable to the latest version.

    What doesn’t help is attacking current development team or spreading misinformation suggesting that 2.5 is vulnerable when there are no known problems with it. We’re fighting on the same side here, I hate seeing blogs owned just as you hate it being in your index. People shouldn’t have to worry about this, but hosting is inherently hard and a responsibility most people don’t consider when doing a one-click install on their $6/mo web host.

  4. “As someone with a security background, I would expect more of a critical eye when evaluating reported vulnerabilities, especially when you know how much crap and snake oil there is out there. The ‘report’ you link to contains no actually information, so by suggesting that a support indicates a problem in 2.5 you’re spreading sensationalism, fear, uncertainty, and doubt.”

    Linking to a post in the current climate only seeks to spread FUD because there IS NOT much hard factual information out there about what’s really happening.

    Further, it changes day in and day out. I’ve liked to a number of posts on the subject to try to further dialog. I don’t have the time to do full security audits on code for every issue raised here about WordPress security.

    The only thing that’s going to fix this problem is open dialog which is what I’ve tried to foster by continually posting about this subject.

    “3. Old, insecure versions of WP, especially if they have open registration or other insecure settings. The only two officially supported versions right now are 2.0 and 2.5.”

    Yes. But based on the numbers it seems to be an issue with older and insecure versions of WordPress which are resulting in high numbers of vulnerable and hacked weblogs.

    “What you and Ian are seeing is a very small slice of the problem because many of the spammers have their code show only to Google, so unless you spoof Googlebot you won’t see it. ”

    … so you’re saying the problem is a lot *worse* than we’re predicting?

    From my audits I don’t think this is the case.

    It appears that there are 2-3 large spammers (or one running 2-3 complex spam campaigns) and directly targeting WordPress.

    This almost certainly has to do with the sheer number of vulnerable blogs running WordPress…

    ” or spreading misinformation suggesting that 2.5 is vulnerable when there are no known problems with it. ”

    “No known problems” does not mean it’s secure. One of the problem I have is suggesting upgrades when we aren’t actually certain that the problems have been fixed.

    One could argue that there might be a few more upgrades as we learn more about exploits though.

    The main crux of your argument is that I’m spreading misinformation and FUD.

    Any FUD that’s out there could be easily combated by posting about this issue on the WordPress development blog, your personal blog, etc.

    The biggest criticism of WordPress I have at the moment is how you’ve been silent about this problem while Rome burns.

    You guys should be owning this issue!

    The only security posts on the WordPress blog was the release of 2.3.3 on Feb 5.

    There has been no discussion about how the largest blog spam campaign in recent memory (or perhaps all time) is currently being waged against WordPress blogs and that it’s URGENT that your customers upgrade.

    For example, the Blog Herald did a GREAT review of the current state of WordPress security on April 9:

    http://www.blogherald.com/2008/04/09/wordpress-wednesday-news-wordpress-25-security-issues-plugins-updated-wordpress-vs-wordpressmu-and-more/

    This should have come from WordPress proper – not a 3rd party…

    PLEASE step up here and start owning this problem. If you guys OFFICIALLY blog on this subject you can get more WordPress bloggers to upgrade.

    “We’re fighting on the same side here, I hate seeing blogs owned just as you hate it being in your index. People shouldn’t have to worry about this, but hosting is inherently hard and a responsibility most people don’t consider when doing a one-click install on their $6/mo web host.”

    Agreed. We’re fighting on the same side. Note my emails to you guys about security@wordpress.org

    I didn’t hear anything back though… so I assume you’ve received them…

  5. Kevin

    You’ve hit the nail firmly on the head.

    WP has a terrible security track record on two fronts:
    1 – the code itself
    2 – the communication of the issues to its users

    If they’re addressing it good, but they really need to get the message to their users more efficiently.

    Michele

  6. When there have been real security threats to our users, we’ve sung it far and wide even though it was painful. (789 unique pings on that post.) We’ve blogged about security updates dozens of other times.

    Kevin, linking to the post is one thing, but linking to it with the title “Is WordPress Insecure by Design?” and then the suggestion that “ouch” people on 2.5 are vulnerable to hacking suggests that you’ve at least read the linked article and consider it a real problem. If that was a report about Tailrank, how would you react? I don’t think it’s something you need to read any code to evaluate.

    You’re correct that the 2.5 update post doesn’t mention it includes security fixes, so I’ve corrected that.

    Your two emails to our security team just included a few dozen URLs of blogs on old versions that were hacked, I didn’t see anything actionable or that needed a reply, but if I missed something let me know. Other folks have sent in logs and dumps that we’ve analyzed to confirm it was one of the bugs fixed in newer versions already, and we reply to those.

    I’m working on a larger post about everything, hope to get it up tomorrow.

  7. @Michele I’m not sure exactly what you mean about the message not going out to WP users. I think I’ve heard about any potentially worrying exploits, and whilst I might be more active in checking feeds and various WP related blogs, the fact is that the normal user will see these items appearing on their WP dashboard.

    I can’t however speak for the code itself as I’m no php/mysql security expert! I’ve never felt uncomfortable using it though.






%d bloggers like this: