Ticket #5313 (closed defect: fixed)

Opened 6 months ago

Last modified 3 months ago

no user checking if the "post_type" is set to page

Reported by: Columcille Assigned to: josephscott
Priority: highest omg bbq Milestone: 2.3.4
Component: Security Version: 2.3.1
Severity: blocker Keywords:
Cc:

Description (Last modified by lloydbudd)

There is no user checking if the "post_type" is set to page.

Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a security issue in xml-rpc:

Although this ticket has been open for 3 months, the previous description and the discussion here, on the forums, and elsewhere did not identify the vector.

A person has to already have an account on your blog, or be able to create an account (even just subscription) to abuse this bug.

WORKAROUND: if enabled, disable account creation including subscription to your blog, or temporarily delete the file xmlrpc.php .

http://wordpress.org/support/topic/134928/page/2#post-686510 http://www.theseekerblog.com/?p=284 http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/

Attachments

xmlrpc.php.diff (0.7 kB) - added by josephscott on 02/02/08 16:53:22.
xmlrpc.php.2.diff (3.2 kB) - added by josephscott on 02/03/08 04:49:26.
Make sure cap checks happen
2.3-xmlrpc.php.diff (3.2 kB) - added by josephscott on 02/04/08 18:48:23.
Patch against 2.3-branch

Change History

11/03/07 22:35:49 changed by Columcille

  • component changed from General to Security.

11/04/07 01:11:56 changed by lloydbudd

Copying DD32's forum comment here:

Can anyone take a read through their webservers access logs and look for anything suspect accessing the admin pages? Also check for other users, and change the admin passwords. It is hard to work out what is happening here without knowing where the problem is coming from.

12/04/07 16:29:59 changed by pishmishy

  • owner changed from anonymous to pishmishy.
  • status changed from new to assigned.

I've actually spotted this in a couple of installs but I can't tell if this came from the currently installed WordPress version has been around since an older install. If someone has mysql logs hanging around (binary or otherwise) it may be helpful if they are able to pick out when the code was inserted into the database. Something along the lines of 

# mysqlbinlog mysql-bin.* | grep iframe

would do the trick.

12/11/07 20:15:47 changed by cbdilger

I don't have access to MySQL logs (shared hosting) but I found this in my webserver logs--there are 30 nearly identical entries over two days.

access.log.2007-11-29.gz:77.70.106.72 - - [29/Nov/2007:05:37:16 -0800] "POST /cbd/wp-admin/admin-ajax.php HTTP/1.1" 200 14 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

this is in the right time frame---three days after the post I wrote which was hit with the iframe.

I'll keep looking for other funny stuff. Any pointers appreciated. And I can provide logs for WordPressers? to work with.

12/12/07 12:11:26 changed by pishmishy

I'm not sure an access within three days is too useful. It appears what you're seeing is someone trying to exploit the vulnerability fixed in #4322

12/12/07 14:46:34 changed by cbdilger

I'm sorry, that wasn't clear. What I meant: since I wrote the post Nov 26 and didn't discover the injected iframe until Dec 10, the access to admin-ajax.php could have been involved. Thanks for letting me know it probably wasn't.

12/12/07 17:30:42 changed by lloydbudd

  • status changed from assigned to closed.
  • resolution set to invalid.
  • milestone deleted.

Closing as invalid, because this bug does not have enough information to be resolved. Please open a new ticket with causal details, if you experience a similar issue.

(follow-up: ↓ 10 ) 02/02/08 15:07:50 changed by thee17

  • priority changed from high to highest omg bbq.
  • status changed from closed to reopened.
  • resolution deleted.
  • severity changed from major to critical.
  • milestone set to 2.6.

Because the method of exploiting this was posted, this needs fixed and posibly fast.

Probably should be fixed in 2.3.3 as well.

02/02/08 15:08:58 changed by thee17

  • milestone changed from 2.6 to 2.5.

(in reply to: ↑ 8 ) 02/02/08 15:46:28 changed by lloydbudd

  • owner changed from pishmishy to josephscott.
  • status changed from reopened to new.
  • description changed.

Replying to thee17:

Because the method of exploiting this was posted, this needs fixed and posibly fast.

Although the same support topic, it probably would have been better to open a new ticket, because it is difficult to confirm that the original issue is caused by this issue.

Also, it is benefitial at this point to explicitly including the details if not at least the links. http://wordpress.org/support/topic/134928/page/2#post-686510 http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/ http://www.theseekerblog.com/?p=284

Updating description.

02/02/08 16:39:34 changed by lloydbudd

  • description changed.
  • summary changed from iframe being injected to no user checking if the "post_type" is set to page.

02/02/08 16:53:22 changed by josephscott

  • attachment xmlrpc.php.diff added.

02/02/08 16:53:44 changed by josephscott

Add cap check

02/02/08 17:28:38 changed by matt

I don't think the current patch addresses all the issues. There should be a definitive patch available tonight, and a release to follow.

02/02/08 17:45:20 changed by lloydbudd

  • description changed.
  • severity changed from critical to blocker.

02/02/08 17:50:52 changed by ryan

  • milestone changed from 2.5 to 2.3.3.

02/02/08 17:55:41 changed by ryan

(In [6709]) Add edit_page cap check. Props josephscott. see #5313

02/02/08 17:57:20 changed by ryan

(In [6710]) Add edit_page cap check. Props josephscott. see #5313

02/03/08 04:49:26 changed by josephscott

  • attachment xmlrpc.php.2.diff added.

Make sure cap checks happen

02/03/08 15:12:26 changed by cbdilger

I've had mysterious spam-type content added to posts, as I noted above ("iframe" content) and here ("noscript" content). And here's a similar issue ("noscript").

The support thread referenced by lloydbudd mentions users as part of the exploit. Has that been confirmed? I haven't had any unexplained user registrations to my weblog (I know all the registrants). In fact, in the times I've been hit, I haven't seen any new user registrations.

Thanks, Bradley

02/04/08 18:35:05 changed by ryan

(In [6714]) More cap checks from josephscott. see #5313

02/04/08 18:48:23 changed by josephscott

  • attachment 2.3-xmlrpc.php.diff added.

Patch against 2.3-branch

02/04/08 18:52:49 changed by ryan

(In [6715]) More cap checks from josephscott. see #5313

02/20/08 17:15:01 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.