0day in WordPress?

tiff2342 · Sep 28, 2012

In ref to:

/https://twitter.com/SolidSSecurity
/http://www.webhostingtalk.com/showthread.php?t=1195687

Any one know if WP is safe?

Infopro · Sep 28, 2012

Wordpress would know. You should be contacting them instead of posting to this forum, IMHO.

https://codex.wordpress.org/FAQ_Security#Where_do_I_report_security_issues.3F

PlotHost · Oct 1, 2012

You are never 100% safe. Anyway I recommend to use the apache patch + mod_security with some good rules.

tiff2342 · Oct 2, 2012

well there apparently is an exploit out for latest WP but ill just follow their twitter to stay on top of things just in case

d'argo · Oct 2, 2012

they say its just a cross site scripting exploit. have you found anything else out?

tiff2342 · Oct 2, 2012

all ive found is a cross site but they have logs of a shell being uploaded into the admin area via admin files on latest WP install /https://twitter.com/SolidSSecurity/status/251700021005791232

d'argo · Oct 2, 2012

i wish there more details. culd they have just stolen password?

tiff2342 · Oct 2, 2012

d'argo said: ↑

i wish there more details. culd they have just stolen password?
Click to expand...

from what was said it was a freshly installed wordpress, symlinks patched, brand new.

for sure something worth following.

Infopro · Oct 3, 2012

How is it that this twitter user knows more about a security issue with Wordpress, than Wordpress? Can you link me to an actual statement by Wordpress on this?

Thanks in advance.

PlotHost · Oct 3, 2012

More details at CVE-2012-4448 : Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hija

Infopro · Oct 3, 2012

Thank you for the link.

From the exploit itself for reference here:

Vuln Desc: WordPress Version 3.4.2 is vulnerable to Cross Site Request Forgery Vulnerability.
The folloging CSRF exploit will change rss link if the currently logged administrator visits malicious page which containts the exploit below.
Click to expand...

So, you need to have your wordpress admin page open and be logged in. And then click a link someone sends you, or you find online for this to be an issue. I think.

I would think @SolidSSecurity might try and convey this sort of message in 140 characters or less to be useful to it's followers. Instead, he's been posting about it since Sept 27, with vague warnings.

And we have this thread.

Thanks again for the link. This sort of thing should be made clear to users who comes across this thread.

kpmedia · Oct 7, 2012

Infopro said: ↑

So, you need to have your wordpress admin page open and be logged in. And then click a link someone sends you, or you find online for this to be an issue. I think.
Click to expand...

No -- not based on the logs I've seen.

This is the log of a hacked site:
Code:
GET /wp-admin/ HTTP/1.1
GET /wp-admin/admin.php?page=stats&noheader&dashboard&width=574 HTTP/1.1
GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_incoming_links HTTP/1.1
GET /wp-admin/admin-ajax.php?action=dashboard-widgets&widget=dashboard_primary HTTP/1.1
POST /wp-admin/admin.php?page=stats&noheader&chart=flot-stats-data HTTP/1.1
GET /wp-admin/plugin-editor.php HTTP/1.1
GET /phpshell.php HTTP/1.1
That all happened within 3 minutes.

I don't know what was posted, however. In each case, the user altered things before I was called to the scene. And as you would guess, the users made things worse -- and covered the tracks of the hacker in the process.

This is rather easily thwarted by having decent security on the site. Unfortunately, most users just deploy default, and do nothing other than add "security" plugins (NOT SECURITY!)

This happened back on 8/30, so an exploit is at least a month old now.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

0day in WordPress?

tiff2342 Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

PlotHost Well-Known Member

tiff2342 Well-Known Member

d'argo Active Member

tiff2342 Well-Known Member

d'argo Active Member

tiff2342 Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

PlotHost Well-Known Member

Infopro cPanel Sr. Product Evangelist
Staff Member

kpmedia Well-Known Member

Missing Temporary Folder Error in WordPress

Cloning a Wordpress site

OWASP mod_security breaking Wordpress page save

WordPress staging?

In Progress [CPANEL-23030] Wordpress site software update notice displays wrong version

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

0day in WordPress?

tiff2342 Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

PlotHost Well-Known Member

tiff2342 Well-Known Member

d'argo Active Member

tiff2342 Well-Known Member

d'argo Active Member

tiff2342 Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

PlotHost Well-Known Member

Infopro cPanel Sr. Product Evangelist Staff Member

kpmedia Well-Known Member

Missing Temporary Folder Error in WordPress

Cloning a Wordpress site

OWASP mod_security breaking Wordpress page save

WordPress staging?

In Progress [CPANEL-23030] Wordpress site software update notice displays wrong version

Share This Page

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member