Wordpress 2.1.1 backdoored

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Wordpress 2.1.1 backdoored

Post by Mordred »

The news
The details

While the intrusion was apparently successful (meaning it went unnoticed), the backdooring attempt was quite naive (eval and passthru, for smurf's sake, way to go, Captain Obvious). Luckily this was caught on time, I wonder what would have happened if the backdoor was a more covert one (and one has just to look at that obfuscated PHP thread to find plenty of better possibilities).

This is what happened some years ago with the Linux kernel: http://kerneltrap.org/node/1584, it was caught in the dev CVS, way before it could do any damage.

In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

"The month of PHP Bugs" ? Did I miss something?
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Re: Wordpress 2.1.1 backdoored

Post by infolock »

Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:

As for the exploit, it doesn't suprise me much. That's why I really don't use 3rd party apps. They are usually poorly written and don't involve much security checks or data validations.

As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Wordpress 2.1.1 backdoored

Post by Chris Corbyn »

infolock wrote:
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:
If you read it, it is related to PHP, not 3rd-party apps :?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.
infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.
Jenk wrote:"The month of PHP Bugs" ? Did I miss something?
Yep, 5 days and 11 bugs ;)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

No, I mean the phrase "Month of PHP Bugs" .. it sounds like an annual occurance or something.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

It's based on a few other "Month of Bugs" events - the idea is to post one bug per day for a month (or more if you have them). So far Stefan Esser with some contributions (folk who had bugs which were bogused, unreported or something else) have racked up a 2:1 ratio. 11 bugs over 5 days. Expect a PHP version update by early April since I assume the patches are flying into CVS, and if not damn well should be...

Thankfully the Wordpress issue was not PHP related - someone managed to gain access to one of the servers and got write access to the download. An interesting read though - I wonder how long that cracker had user access?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
It's all so cool. I know Stefan can be blunt, hostile and even plain rude but he's usually 99% right when it comes to the facts surrounding PHP and security. That he left the security team for PHP a while back I'd consider a severe blow to PHP security. I guess once you get ignored and sidelined enough times anyone would do the same. I mean the guy has spent years working on Hardened-PHP and Suhosin, and gets ignored by the PHP developers? Kind of hard to explain reasonably, his bug reports so far are detailed, easy to grasp and come with a few quick use cases.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Stefan seems like his heart is in the right place. And I would agree that the PHP team has really not given his findings the attention they should have. But I begin to wonder if there is not a better outlet for his way of speaking out to the community? I am not sure what that way is, but I thinking that there has to be a better way to bring attention to the potential security implications of the webs most popular development language without making the core team look so freaking lazy.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

I don't think there is. Some of those bugs have been sitting around for a long time. There were internal decisions not to fix them, since they were never perceived as bugs, except by people like Stefan. The only response to such stubborn resistence is to take things off the internals and bug tracker and let them go wild. It's not even unfair - the PHP developers were told about them but chose not to fix them. I find it all totally weird - stuff that can crash and allow remote exploits sitting around unpatched? Honestly, it's either because of ignorance, carelessness or some inner-circle social struggle - and none of those three are attractive qualities in a professional development team.

It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Re: Wordpress 2.1.1 backdoored

Post by infolock »

d11wtq wrote:
infolock wrote:
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:
If you read it, it is related to PHP, not 3rd-party apps :?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.

Oh contrare ;) I read it. The issue is that the guy who cracked wordpress.org's server rewrote their script. since it was because the guy rewrote it in a way such that he was parsing url $_GET data and executing it, that doesn't constitute a php vulnerability, it makes it a network admin security issue.

Again, this is not a php core issue mordred. it's a 3rd party issue since it was the server that got hacked. the guy didn't gain access via a php core issue, but via the network.



edit: Heh, guess I just reitterated what Maugrim_The_Reaper said.
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

Mordred wrote:
infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.
infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.
Jenk wrote:"The month of PHP Bugs" ? Did I miss something?
Yep, 5 days and 11 bugs ;)


1) it's not a php core issue. re-read the article.

2) ahhh, gotcha ;)

3) Again, i'm not sure this is php core-related but 3rd party app-related..
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

About 1) and 3)
Mordred wrote:In other news, the Month of PHP Bugs has started ...
I just chose not to "spam" the board with two topics, so I merged them.
Maugrim_The_Reaper wrote:It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
That's the problem in a nutshell, and I think Stefan Esser is completely right and justified (even if a bit bitter) about what he's doing.
Everah wrote:But I begin to wonder if there is not a better outlet for his way of speaking out to the community?
I believe that this is the only (left) choice - after all he did disclose them, when the response was not adequate he did offer the community a solution. There is a good essay by Bruce Schneier on full disclosure and responsible disclosure. The thing is, responsible disclosure only works because of the threat of full disclosure, and since in that case the responsibly disclosed reports were ignored, the only option left is for the threat of full disclosure to be applied in practice. So sad to see this happen with a open source project, and an useful one at that :(

Debating Full Disclosure, Bruce Schneier
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

It's interesting to note some of these bugs are all pre5.2.1 - someone decided to get off their ass and fix them before the MOB arrived. So in that respect the threat of an MOB had a real effect - it forced the PHP Developers to fix some of the bugs before they were widely publicised. If something has such an effect, it's difficult to find a good reason to argue against it.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Maugrim_The_Reaper wrote:If something has such an effect, it's difficult to find a good reason to argue against it.
I agree with that. It just gives the appearance of a rift in the PHP development community, which for a long time has seemed to be a very tightly knit group of friendly geeks working together for the betterment of the project and the community.

Don't get me wrong. I think the vulnerabilities need to be taken seriously (which they weren't) and they need to be addressed (which they are now). I was just tossing that opinion of mine out there. I would never argue, though, that was Stefan is wrong or misguided. He did what was necessary to get the core team to open their eyes to a need to fix what is broken. That will always get kudos from me.
Post Reply