Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Wordpress 2.1.1 Release Compromised by Cracker

Posted by Zonk on Sat Mar 03, 2007 01:34 AM
from the not-my-emo-comments-and-angsty-statements dept.
Security The Internet
GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."
This discussion has been archived. No new comments can be posted.
Wordpress 2.1.1 Release Compromised by Cracker | Log In/Create an Account | Top | 48 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • PHP and certificates (Score:2)

    by MichaelSmith (789609) on Saturday March 03 2007, @01:39AM (#18215732)
    (http://netapps.com.au/)

    Makes me wonder if the PHP VM could do a hash of the application code and compare that with a certificate from the source of the application. I know that the injected code in this case would have been certified, but it would make it easier to identify sites which had not been upgraded.

  • Made it easier for ... (Score:3, Insightful)

    by asifyoucare (302582) on Saturday March 03 2007, @01:42AM (#18215736)
    Zonk, what do they pay you for?

  • Key Details (Score:5, Informative)

    by Kelson (129150) * on Saturday March 03 2007, @02:00AM (#18215794)
    (http://www.hyperborea.org/journal/ | Last Journal: Tuesday September 11, @05:30PM)

    From the article, and from some comparisons I did on the downloads:

    • The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
    • Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
    • If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
    • 2.1.2 also includes a fix for a cross-site scripting vulnerability [wordpress.org] discovered a few days ago, so it's worth updating anyway. (diff)

    I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

  • Cracker (Score:1, Redundant)

    by Bo'Bob'O (95398) on Saturday March 03 2007, @02:46AM (#18215930)
    First time I read that headline, I wondered for a second why it was significant it was compromised by a white guy.
    • Re:Cracker by ThomasHoward (Score:1) Saturday March 03 2007, @02:54AM
    • Re:Cracker by undoIT (Score:1) Saturday March 03 2007, @04:16AM

  • Also update your.. (Score:2, Informative)

    by blankoboy (719577) on Saturday March 03 2007, @02:52AM (#18215948)
    (http://www.skintube.com/)
    To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.

  • This is always a major concern for OSS projects (Score:2, Insightful)

    by Anonymous Coward on Saturday March 03 2007, @05:35AM (#18216412)
    Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

    OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.
    • 1 reply beneath your current threshold.
  • There is an efficient way to avoid such tempering, or at least to hope that those tricks will be quickly discovered by somebody: seal (sign) your published works, dammit!
    • have a well-signed and published (on the keyservers) GnuPG (GPG) key
    • do only transfer/store the private key on absolutely sure boxes, and only if it is strictly necessary
    • keep a backup of the private key in an ultra safe place
    • give a copy of the revocation certificate to a few very good friends
    • publish the public key on a good keyserver
    Then sign every archive published, let the file be mirrored everywhere... and the hell with the polluters! For now most users will not verify the signature but at least a few of them will do, and with time a growing number will join.

  • What about Wordpress mu? (Score:2)

    by edmicman (830206) on Saturday March 03 2007, @09:18AM (#18217312)
    (http://www.fiestyturtles.com/ | Last Journal: Tuesday October 23, @09:07PM)
    How does this affect Wordpress mu (multiuser)? http://mu.wordpress.org/ [wordpress.org]
    • 1 reply beneath your current threshold.

  • Doesn't matter, WP can't handle heavy loads. (Score:1)

    by liftphreaker (972707) on Saturday March 03 2007, @11:33PM (#18223462)
    As an ex-wordpress user, this just points out one among the many changes and improvements they need to make. Security is important, but if the fundamental framework itself is weak, nothing else is going to matter too much. Wordpress is crippled in that it simply can't take a digg or heavy slashdot hit. Check out any wordpress site that's been dugg to front page, chances are 99% it's going to be dead in minutes.

  • Re:Damn crazy crackahs. (Score:5, Funny)

    by User 956 (568564) on Saturday March 03 2007, @02:10AM (#18215826)
    (http://www.atomjax.com/)
    Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

    I thought the politically-correct term for "cracker" was "caucasian-american"?
    [ Parent ]

  • Re:Damn crazy crackahs. (Score:1, Troll)

    by linvir (970218) on Saturday March 03 2007, @02:35AM (#18215900)

    it's "hacker" now. Give up
    Fukken seconded.
    [ Parent ]

  • Re:Damn crazy crackahs. (Score:1)

    by undoIT (1070894) on Saturday March 03 2007, @03:51AM (#18216126)
    (http://themebot.com/)
    ya know. if i was a smacka jacker cracka crack hacker, i'd be all up in the spam co's databases, emolating their servurz
    [ Parent ]
  • 2 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.