Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Blogs are vunerable?

So, how's a huge problem? If anything, some blogs need to be hacked to have some decent content on them!

Re:Blogs are vunerable?

at my previous job there had been a programmer who used the same password for *everything*, and I do mean everything... from the mysql logins (both "root" and regular webapp), web site logins, shell accounts and the ssh passwords needed to move data around!

I discovered he had a blog site, and guess what, his standard password worked on that too, both to login as him and as admin. Whilst tempted, I neither added nor deleted anything on his site, but I *did* go occasionally go through his blog posts and correct his spelling and grammar! He must have noticed because after many months of occasionally tweaking his content, the login finally stopped working. Yes, I'm talking about you, "smurphy" :-)

irony?

where is this article hosted? [blogsecurity.net] yes, wordpress powered site!

How do you fix it?

As a wordpress user how do you fix it? I only blog to keep in touch with family and friend who live out of state. But it's been a fun project, though if it is easily exploitable I'd like to know how to fix it, and not just "you're site is EZly hax0red"

Re:How do you fix it?

http://www.infiltrated.net/docs/modsecips.html [infiltrated.net] step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.

Block Spam injections [pathf.com]

Directory traversal attacks SecFilter "\.\./"

XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"

SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document [infiltrated.net] people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts

self-updating

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.

Oh noes!

Now I have to stop posting replies on Slashdot, or the script kiddies might hack my site.

Time for web applications to grow up

I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.

The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.

I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

Re:Time for web applications to grow up

Most applications that do update checks I've used only do so from the administration interface. e107 and jforum both check for updates. (php and java apps) Its possible to do the checks. However, downloading updates means the webapp has to have space to download files automatically. From a security perspective, it seems stupid to add this feature unless the webapp already needs writable space. The update feature could introduce an additional attack vector.

Securing LAMP

Securing LAMP [infiltrated.net] Mod Security [modsecurity.org] Its so simple a fix with mod_security...

SecFilterSelective REQUEST_URI /admin.php chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

Time to upgrade again

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress [wordpress.org]

SQL injection?

An article about a Wordpress vulnerability [blogs.com] from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here [secunia.com]. Mostly DOS and cross-site scripting... plus some "unspecified"...

Wordpress

The problem with WP that it is a major pain in the ass to update, especially if you're running somewhat customized installation. Besides, most bloggers are not technical people and just use whatever version someone installed for them (or installed by their provider).

People run old software? Really?

This will sort of mirror what I've responded with on Full Disclosure. The first issue is that there really are not any details on this "survey" that was done. I am pretty sure I could conduct a survey that had 1000 WordPress blogs where only 1 of them was a vulnerable version. I am not saying there aren't plenty of older/vulnerable versions out there, but I think you get the point. The second issue is that relying on your extraction of a version number does not mean it's actually vulnerable. Patches or other mitigations could be in place.

So if it's news to you that people run old and/or vulnerable software, then this might be something new. Otherwise it's just what I would expect.

what about Blogger?

I hope blogger isn't that vulnerable! Perhaps Google is better at security than WP guys.

Some perspective please

I'm the first to admit that I would love an automated update for Wordpress - the current manual updates are just enough of a pain that invariably they get delayed.

That said, let's get some perspective on what is described by the author as "a desparate (sic) attempt to try and educate WordPress Plugin developers to some of the common security problems that can occur."

From a quick reading of the guy's postings, these weaknesses really only allow one thing: Admin access to the Wordpress site.

For the vast majority of sites this is really not a life threatening situation - if you're pOwned your best friends might lose access to your archive of cat pictures and right wing political ramblings. Or you might lose the $4.98 a month in Adsense revenue that you're counting on to fund your retirement.

Those sites that actually matter to a business or organization are the ones most likely to be properly updated and backed up.

Not really cause to lose much sleep here....

Quelle suprise!

Clueless people running $software don't keep it up to date! Film at 11!

You either do it yourself and accept the consequences, or find a host with a clue. wordpress.com will even host it for you for the ultra-easy-free option (though they'll charge for extra features).

Just like... well, everything else you might run on a server. Including the OS.

I was hacked...

As someone who has just recently been hacked (Druapal 5.1, not WordPress, but I almost went that direction) I can say that I've recently seen my fair share of hacked Wordpress sites (via links to/from referrers) that have been listed as 'defaced' with, "Attack Technics : FTP Protokol" listed on the bragging-rights page. In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!) -- my solution was to allow 0KB of FTP transfer for anonymous users.

For those whishing to see for themselves and laugh/shutter/worry, etc they can do so by clicking here AT THEIR OWN RISK [turk-h.org].

So I read this as...

So Wordpress is not secure and its users do not know how or perhaps do not even care to make it secure. That, to me, means that if WP does not change its delivery and security by default, tons of blogs will be compromised. That therefore means the market will be wide open for a service that has a secure code base that can be updated easily.

Good riddance if that is the case. If they cannot adapt to the needs of its users, they deserve what will come to them, though their users do not :(

It's a trap!

I'm a blogger, but I can see some conflict of interest in TFA.

How did BlogSecurity get this information?

The article says:

"BlogSecurity incrementally harvested the WordPress software version from 50 blogs"

What does incrementally harvested mean? How did BlogSecurity obtain the version info from the blogs it polled, and how did they go about picking which blogs to poll?

There seems to be a lot of FUD in this article, and it's quickly cobbled together. There's no discussion on *how* vulnerable each version is. 2.1.3 was released April 3, but is discarded simply because the latest stable version is 2.2. Version 2.2, a major feature update version, was released only 8 days ago, and I imagine many people like me are waiting to upgrade until a couple of updates have passed.

Basing a security statement of frightening, alarming proportions solely on what version software people are using to drive personal blogs without any further research on what specific security holes exist (and how easy they are to exploit and what privileges or access they give) is, in my opinion, FUD.

I'd be happy if my wordpress site gets hacked

at least I know it gets some hits.

Re:Thanks OSS!

Open Source Software - Pointing out gaping-security-holes-that-you-can't-do-much-about -until-the-software-is-updated-in-a-week's-time-by -some-volunteer-on-the-friendly- community-forum-of-said-software you mean that OSS?