Wordpress 2.1.1 Release Compromised by Cracker

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

Re:Damn crazy crackahs.

[User 956]

Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

I thought the politically-correct term for "cracker" was "caucasian-american"?

Re:

[metlin]

You forgot "virgin". =)

Re:

[linvir]

it's "hacker" now. Give up

Fukken seconded.

Re:

[PietjeJantje]

What about this arrangement: let us all agree here to call hackers crackers from now on, and don't tell the media. This should fix things and create a clear divide again. Now excuse me while I'm off cracking some new code.

Re:

[linvir]

• Hacker
  A very, very naughty boy who does wicked, wicked things to other peoples' computers, and brags about it on websites with black backgrounds and green text. Used to mean programmer, but doesn't any more. The old meaning is still used by old programmers living in the past, and by new programmers wishing to associate themselves with both programmers and naughty boys simultaneously. Nobody who calls themselves a "hacker" or refers to their activities as "hacking" is worth any of your time or money, no m

Re:

[maggard]

Clever except that "hacking" predates software coding as a trade and calling certain folks "Crackers" predates both.

Nicely formatted tho'.

Re:

[undoIT]

ya know. if i was a smacka jacker cracka crack hacker, i'd be all up in the spam co's databases, emolating their servurz

PHP and certificates

[MichaelSmith]

Makes me wonder if the PHP VM could do a hash of the application code and compare that with a certificate from the source of the application. I know that the injected code in this case would have been certified, but it would make it easier to identify sites which had not been upgraded.

Re:

[dexomn]

That's so two hours ago.

Isn't that a job for the app?

[SanityInAnarchy]

Have a really simple index.php, which can then verify the source of the rest of the app (include files, etc)?

But really, I don't think this accomplishes a hell of a lot. It wouldn't help you know which ones haven't been updated, for one thing...

NO

[cortana]

If it is a job for the app, then everyone will implement it themselves, and no one will do it right.

So what?

[SanityInAnarchy]

That will happen anyway.

If you put it in the app, there's at least a chance it'll be done right by some library that everyone ends up using. If you put it in the interpreter, the interpreter gets crufty for everyone, including people who don't care about source code signing, and people who might have a legitimate reason for implementing it a little differently.

Or, let me make this very simple: If we were talking about C, would you be in favor of including it in the operating system? Or the C compiler?

Re:

[cortana]

As a library that apps can use to verify files, sure. Oh wait! That is gnutls/openssl!

Re:

[Jessta]

When should this hash check be done?
on every page request?
I can imagine that slowing requests down a bit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Pyrex5000]

It's late at night. Nothing like a bottle of Mountain Dew and a flame war to keep the programmers awake. So, how about that PHP?

Re:

[DavidHOzAu]

Oh please. Lay off the Zonk bashing. Read the summary and note that it was not written by Zonk.

Don't like the stories? Then take a drink from the FireHose [slashdot.org] and mod up the contributions that interest you.

Re:

[GrumpySimon]

Yes, my bad. I was moving stuff around & trying to make it coherent. I must have missed that. You may mock me mercilessly.

Re:

[DavidHOzAu]

No biggie. I think most of us can tell what word was meant to be in here.

Re:

[Goaway]

The reason one has editors, normally, is to catch such mistakes and fix them before the thing is published. Of course, Slashdot "editors" do not do any actual "editing".

It makes Slashdot "more real", according to Taco!

Key Details

[Kelson]

From the article, and from some comparisons I did on the downloads:

• The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
• Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
• If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
• 2.1.2 also includes a fix for a cross-site scripting vulnerability [wordpress.org] discovered a few days ago, so it's worth updating anyway. (diff)

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

Re:

[djupedal]

'...confirming that the initial release was unaffected.'

No, sorry.

It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

"If you downloaded 2.1.1 when it was first released, it's probably okay. "

'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

Re:

[Kelson]

It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

Good point. In this case, the WP folks seem certain it was compromised within the last four days, but you're right, my data point doesn't confirm anything later than whatever time of day it was on Feb. 21.

What I was trying to say was that what I've seen is at least consistent with the timeline th

Re:

[slack_prad]

Don't they use md5 hashes for integrity check?

Re:

[DrSkwid]

md5 alone wouldn't be any use, it's been compromised for comparing the identity of two data blocks.

Re:

[maxume]

Is a locked door that is less than indestructible useless?

(That is, if the cracker that did this wasn't able to generate an attack on the md5, it would have mitigated the consequences(assuming somebody bothered to check))

Re:

[Kelson]

The "download archive" page (which lists every public release since WordPress branched from B2) provides MD5 hashes, but they're not linked or listed from the main download page for some reason. It's also not made clear on the page whether the MD5 hash is of the ZIP archive or the tar.gz archive.

So while the hash is there, probably only 1% of downloaders would even see that it exists.

Re:

[kripkenstein]

Given these details, this raises the (recurring) issue of where it is safe to get software from. I generally assume that I am fairly safe in using only stuff from my distro's repositories, rather than getting the bleeding-edge versions from individual sources. But I guess I am presuming that central repos are better-secured and more carefully monitored than separate ones - well, perhaps not necessarily on average, but at least from a worst-case perspective (lots of different sources means more chances for a

Re:

[quixote9]

Hey, thanks for some actual information!

Cracker

[Bo'Bob'O]

First time I read that headline, I wondered for a second why it was significant it was compromised by a white guy.

Re:

[ThomasHoward]

Script kiddie would be a better term, regardless of technical knowledge, the person had the attitude of a script kiddie.
I hope they catch the worthless sack of shit that did it, too bad that probably wont happen.

Re:

[undoIT]

"I've been crackered!"

Parse error: syntax error, unexpected $end in /home/myaccount/public_html/weirded/wp-admin/admin -functions.php on line 2327

...unless i just forgot my site is installed in a sub-directory while trying to run upgrade.php ;)

Also update your..

[blankoboy]

To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.

Re:

[teslar]

To stray on the side of caution, as we don't yet know the nature of the code that was changed [...] who knows what was done

Err. diff would tell you exactly what bits - and thus the nature - of the code that was changed. Also, TFA knows what was done:

They modified two files in WP to include code that would allow for remote PHP execution.

Re:

[stonecypher]

To "err" on the side of caution.

This is always a major concern for OSS projects

[Anonymous Coward]

Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.

Suggestion:GPG!

[natmakarvitch]

There is an efficient way to avoid such tempering, or at least to hope that those tricks will be quickly discovered by somebody: seal (sign) your published works, dammit!

• have a well-signed and published (on the keyservers) GnuPG (GPG) key
• do only transfer/store the private key on absolutely sure boxes, and only if it is strictly necessary
• keep a backup of the private key in an ultra safe place
• give a copy of the revocation certificate to a few very good friends
• publish the public key on a good keyserver

What about Wordpress mu?

[edmicman]

How does this affect Wordpress mu (multiuser)? http://mu.wordpress.org/ [wordpress.org]

Doesn't matter, WP can't handle heavy loads.

[liftphreaker]

As an ex-wordpress user, this just points out one among the many changes and improvements they need to make. Security is important, but if the fundamental framework itself is weak, nothing else is going to matter too much. Wordpress is crippled in that it simply can't take a digg or heavy slashdot hit. Check out any wordpress site that's been dugg to front page, chances are 99% it's going to be dead in minutes.

Re:

[Trillan]

I don't know if it could handle slashdot or a digg, but one of the major pushes recently has been SQL query optimization. It's made a big difference.