Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Survey Finds Most WordPress Blogs Vulnerable

Posted by kdawson on Thu May 24, 2007 12:10 PM
from the somehow-not-a-surprise dept.
Security The Internet
BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"
This discussion has been archived. No new comments can be posted.
Survey Finds Most WordPress Blogs Vulnerable | Log In/Create an Account | Top | 82 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • Blogs are vunerable? (Score:5, Funny)

    by iknownuttin (1099999) on Thursday May 24, @12:13PM (#19256093)
    So, how's a huge problem? If anything, some blogs need to be hacked to have some decent content on them!

    • Re:Blogs are vunerable? (Score:4, Funny)

      by speculatrix (678524) on Thursday May 24, @03:23PM (#19259205)

      at my previous job there had been a programmer who used the same password for *everything*, and I do mean everything... from the mysql logins (both "root" and regular webapp), web site logins, shell accounts and the ssh passwords needed to move data around!

      I discovered he had a blog site, and guess what, his standard password worked on that too, both to login as him and as admin. Whilst tempted, I neither added nor deleted anything on his site, but I *did* go occasionally go through his blog posts and correct his spelling and grammar! He must have noticed because after many months of occasionally tweaking his content, the login finally stopped working. Yes, I'm talking about you, "smurphy" :-)

      [ Parent ]
    • Re:Blogs are vunerable? by kv9 (Score:2) Thursday May 24, @04:34PM

  • irony? (Score:1, Interesting)

    by dotpavan (829804) on Thursday May 24, @12:15PM (#19256127)
    (http://dotpavan.googlepages.com/home)
    where is this article hosted? [blogsecurity.net] yes, wordpress powered site!
    • Re:irony? by Anonymous Coward (Score:2) Thursday May 24, @12:39PM
      • 1 reply beneath your current threshold.

  • How do you fix it? (Score:3, Interesting)

    by jshriverWVU (810740) on Thursday May 24, @12:18PM (#19256189)
    As a wordpress user how do you fix it? I only blog to keep in touch with family and friend who live out of state. But it's been a fun project, though if it is easily exploitable I'd like to know how to fix it, and not just "you're site is EZly hax0red"

  • self-updating (Score:3, Insightful)

    by dr_hooch (203015) on Thursday May 24, @12:18PM (#19256201)
    Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.
  • Now I have to stop posting replies on Slashdot, or the script kiddies might hack my site.
    • 1 reply beneath your current threshold.

  • Time for web applications to grow up (Score:5, Insightful)

    by Bogtha (906264) on Thursday May 24, @12:23PM (#19256283)

    I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.

    The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.

    I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

  • Securing LAMP (Score:5, Informative)

    by packetmon (977047) on Thursday May 24, @12:24PM (#19256317)
    (http://www.infiltrated.net/)
    Securing LAMP [infiltrated.net] Mod Security [modsecurity.org] Its so simple a fix with mod_security...

    SecFilterSelective REQUEST_URI /admin.php chain
    SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
    SecFilterSelective ARG_username YOURUSERNAME chain
    SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

     Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

  • Time to upgrade again (Score:3, Informative)

    by umrguy76 (114837) on Thursday May 24, @12:26PM (#19256361)
    (http://workbench.freetcp.com/)
    At least the WordPress site offers easy to follow directions.

    http://codex.wordpress.org/Upgrading_WordPress [wordpress.org]

  • SQL injection? (Score:3, Informative)

    by tcopeland (32225) <tom@NOspam.infoether.com> on Thursday May 24, @12:28PM (#19256375)
    (http://tomcopeland.blogs.com/)
    An article about a Wordpress vulnerability [blogs.com] from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here [secunia.com]. Mostly DOS and cross-site scripting... plus some "unspecified"...

  • Wordpress (Score:3, Interesting)

    by wumpus188 (657540) on Thursday May 24, @12:33PM (#19256431)
    The problem with WP that it is a major pain in the ass to update, especially if you're running somewhat customized installation. Besides, most bloggers are not technical people and just use whatever version someone installed for them (or installed by their provider).

  • People run old software? Really? (Score:3, Insightful)

    by madsheep (984404) on Thursday May 24, @12:54PM (#19256769)
    (http://www.securityzone.org/)
    This will sort of mirror what I've responded with on Full Disclosure. The first issue is that there really are not any details on this "survey" that was done. I am pretty sure I could conduct a survey that had 1000 WordPress blogs where only 1 of them was a vulnerable version. I am not saying there aren't plenty of older/vulnerable versions out there, but I think you get the point. The second issue is that relying on your extraction of a version number does not mean it's actually vulnerable. Patches or other mitigations could be in place.

    So if it's news to you that people run old and/or vulnerable software, then this might be something new. Otherwise it's just what I would expect.
  • I hope blogger isn't that vulnerable! Perhaps Google is better at security than WP guys.
  • I'm the first to admit that I would love an automated update for Wordpress - the current manual updates are just enough of a pain that invariably they get delayed.

    That said, let's get some perspective on what is described by the author as "a desparate (sic) attempt to try and educate WordPress Plugin developers to some of the common security problems that can occur."

    From a quick reading of the guy's postings, these weaknesses really only allow one thing: Admin access to the Wordpress site.

    For the vast majority of sites this is really not a life threatening situation - if you're pOwned your best friends might lose access to your archive of cat pictures and right wing political ramblings. Or you might lose the $4.98 a month in Adsense revenue that you're counting on to fund your retirement.

    Those sites that actually matter to a business or organization are the ones most likely to be properly updated and backed up.

    Not really cause to lose much sleep here....

  • Quelle suprise! (Score:2)

    by nevali (942731) on Thursday May 24, @01:26PM (#19257295)
    (http://nevali.net/)
    Clueless people running $software don't keep it up to date! Film at 11!

    You either do it yourself and accept the consequences, or find a host with a clue. wordpress.com will even host it for you for the ultra-easy-free option (though they'll charge for extra features).

    Just like... well, everything else you might run on a server. Including the OS.

  • I was hacked... (Score:2, Insightful)

    by TheGreatOrangePeel (618581) on Thursday May 24, @01:54PM (#19257731)
    (http://www.dealslab.com/)

    As someone who has just recently been hacked (Druapal 5.1, not WordPress, but I almost went that direction) I can say that I've recently seen my fair share of hacked Wordpress sites (via links to/from referrers) that have been listed as 'defaced' with, "Attack Technics : FTP Protokol" listed on the bragging-rights page. In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!) -- my solution was to allow 0KB of FTP transfer for anonymous users.

    For those whishing to see for themselves and laugh/shutter/worry, etc they can do so by clicking here AT THEIR OWN RISK [turk-h.org].

  • So I read this as... (Score:3, Insightful)

    by moore.dustin (942289) on Thursday May 24, @02:13PM (#19258033)
    So Wordpress is not secure and its users do not know how or perhaps do not even care to make it secure. That, to me, means that if WP does not change its delivery and security by default, tons of blogs will be compromised. That therefore means the market will be wide open for a service that has a secure code base that can be updated easily.

    Good riddance if that is the case. If they cannot adapt to the needs of its users, they deserve what will come to them, though their users do not :(

  • It's a trap! (Score:1)

    by dsaraujo (798502) on Thursday May 24, @02:20PM (#19258151)
    (http://www.anand.com.br/)
    I'm a blogger, but I can see some conflict of interest in TFA.
  • The article says:

    "BlogSecurity incrementally harvested the WordPress software version from 50 blogs"

    What does incrementally harvested mean? How did BlogSecurity obtain the version info from the blogs it polled, and how did they go about picking which blogs to poll?

    There seems to be a lot of FUD in this article, and it's quickly cobbled together. There's no discussion on *how* vulnerable each version is. 2.1.3 was released April 3, but is discarded simply because the latest stable version is 2.2. Version 2.2, a major feature update version, was released only 8 days ago, and I imagine many people like me are waiting to upgrade until a couple of updates have passed.

    Basing a security statement of frightening, alarming proportions solely on what version software people are using to drive personal blogs without any further research on what specific security holes exist (and how easy they are to exploit and what privileges or access they give) is, in my opinion, FUD.

  • at least I know it gets some hits.

  • Re:Thanks OSS! (Score:2, Funny)

    by Ynot_82 (1023749) on Thursday May 24, @12:25PM (#19256331)
    Open Source Software - Pointing out gaping-security-holes-that-you-can't-do-much-about -until-the-software-is-updated-in-a-week's-time-by -some-volunteer-on-the-friendly- community-forum-of-said-software you mean that OSS?
    [ Parent ]
  • 10 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.