Wordpress 2.1.1 backdoored
Moderator: General Moderators
Wordpress 2.1.1 backdoored
The news
The details
While the intrusion was apparently successful (meaning it went unnoticed), the backdooring attempt was quite naive (eval and passthru, for smurf's sake, way to go, Captain Obvious). Luckily this was caught on time, I wonder what would have happened if the backdoor was a more covert one (and one has just to look at that obfuscated PHP thread to find plenty of better possibilities).
This is what happened some years ago with the Linux kernel: http://kerneltrap.org/node/1584, it was caught in the dev CVS, way before it could do any damage.
In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
The details
While the intrusion was apparently successful (meaning it went unnoticed), the backdooring attempt was quite naive (eval and passthru, for smurf's sake, way to go, Captain Obvious). Luckily this was caught on time, I wonder what would have happened if the backdoor was a more covert one (and one has just to look at that obfuscated PHP thread to find plenty of better possibilities).
This is what happened some years ago with the Linux kernel: http://kerneltrap.org/node/1584, it was caught in the dev CVS, way before it could do any damage.
In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
Re: Wordpress 2.1.1 backdoored
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
As for the exploit, it doesn't suprise me much. That's why I really don't use 3rd party apps. They are usually poorly written and don't involve much security checks or data validations.
As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: Wordpress 2.1.1 backdoored
If you read it, it is related to PHP, not 3rd-party appsinfolock wrote:Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.![]()
Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
Yep, 5 days and 11 bugsJenk wrote:"The month of PHP Bugs" ? Did I miss something?
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
It's based on a few other "Month of Bugs" events - the idea is to post one bug per day for a month (or more if you have them). So far Stefan Esser with some contributions (folk who had bugs which were bogused, unreported or something else) have racked up a 2:1 ratio. 11 bugs over 5 days. Expect a PHP version update by early April since I assume the patches are flying into CVS, and if not damn well should be...
Thankfully the Wordpress issue was not PHP related - someone managed to gain access to one of the servers and got write access to the download. An interesting read though - I wonder how long that cracker had user access?
Thankfully the Wordpress issue was not PHP related - someone managed to gain access to one of the servers and got write access to the download. An interesting read though - I wonder how long that cracker had user access?
It's all so cool. I know Stefan can be blunt, hostile and even plain rude but he's usually 99% right when it comes to the facts surrounding PHP and security. That he left the security team for PHP a while back I'd consider a severe blow to PHP security. I guess once you get ignored and sidelined enough times anyone would do the same. I mean the guy has spent years working on Hardened-PHP and Suhosin, and gets ignored by the PHP developers? Kind of hard to explain reasonably, his bug reports so far are detailed, easy to grasp and come with a few quick use cases.Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Stefan seems like his heart is in the right place. And I would agree that the PHP team has really not given his findings the attention they should have. But I begin to wonder if there is not a better outlet for his way of speaking out to the community? I am not sure what that way is, but I thinking that there has to be a better way to bring attention to the potential security implications of the webs most popular development language without making the core team look so freaking lazy.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I don't think there is. Some of those bugs have been sitting around for a long time. There were internal decisions not to fix them, since they were never perceived as bugs, except by people like Stefan. The only response to such stubborn resistence is to take things off the internals and bug tracker and let them go wild. It's not even unfair - the PHP developers were told about them but chose not to fix them. I find it all totally weird - stuff that can crash and allow remote exploits sitting around unpatched? Honestly, it's either because of ignorance, carelessness or some inner-circle social struggle - and none of those three are attractive qualities in a professional development team.
It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
Re: Wordpress 2.1.1 backdoored
d11wtq wrote:If you read it, it is related to PHP, not 3rd-party appsinfolock wrote:Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.![]()
![]()
Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
Oh contrare
Again, this is not a php core issue mordred. it's a 3rd party issue since it was the server that got hacked. the guy didn't gain access via a php core issue, but via the network.
edit: Heh, guess I just reitterated what Maugrim_The_Reaper said.
Mordred wrote:PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
Yep, 5 days and 11 bugsJenk wrote:"The month of PHP Bugs" ? Did I miss something?
1) it's not a php core issue. re-read the article.
2) ahhh, gotcha
3) Again, i'm not sure this is php core-related but 3rd party app-related..
About 1) and 3)

Debating Full Disclosure, Bruce Schneier
I just chose not to "spam" the board with two topics, so I merged them.Mordred wrote:In other news, the Month of PHP Bugs has started ...
That's the problem in a nutshell, and I think Stefan Esser is completely right and justified (even if a bit bitter) about what he's doing.Maugrim_The_Reaper wrote:It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
I believe that this is the only (left) choice - after all he did disclose them, when the response was not adequate he did offer the community a solution. There is a good essay by Bruce Schneier on full disclosure and responsible disclosure. The thing is, responsible disclosure only works because of the threat of full disclosure, and since in that case the responsibly disclosed reports were ignored, the only option left is for the threat of full disclosure to be applied in practice. So sad to see this happen with a open source project, and an useful one at thatEverah wrote:But I begin to wonder if there is not a better outlet for his way of speaking out to the community?
Debating Full Disclosure, Bruce Schneier
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
It's interesting to note some of these bugs are all pre5.2.1 - someone decided to get off their ass and fix them before the MOB arrived. So in that respect the threat of an MOB had a real effect - it forced the PHP Developers to fix some of the bugs before they were widely publicised. If something has such an effect, it's difficult to find a good reason to argue against it.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I agree with that. It just gives the appearance of a rift in the PHP development community, which for a long time has seemed to be a very tightly knit group of friendly geeks working together for the betterment of the project and the community.Maugrim_The_Reaper wrote:If something has such an effect, it's difficult to find a good reason to argue against it.
Don't get me wrong. I think the vulnerabilities need to be taken seriously (which they weren't) and they need to be addressed (which they are now). I was just tossing that opinion of mine out there. I would never argue, though, that was Stefan is wrong or misguided. He did what was necessary to get the core team to open their eyes to a need to fix what is broken. That will always get kudos from me.