Posts
20 Jul 09 Filed in Tips and Tricks, Website exploits WordPress has just released a security update.
WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site
Unfortunately, the official blog didn’t mention that this upgrade is actually critical and why you should update ASAP. Let me explain this.
XSS (Cross-Site Scripting) is a security vulnerability that allows malicious users inject code into web pages viewed by other users. In case of this WordPress vulnerability, hackers can leave a comment specifying specially crafted URL in the “website” field of the comment form. When you open any web page in the admin area of your blog that displays this malicious comment (this may be the dashboard, the comments section and the specific post edit page), the code in the comment author’s URL is activated and you get automatically redirected to a third party site (as suggests the update release note).
Why is this serious?Now that WordPress has disclosed the fact that versions prior to 2.8.2 have an XSS vulnerability, hackers will start searching for a way to exploit this vulnerability. It usually takes only a few hours to create an exploit and configure a botnet to start an attack.
Redirection from the admin to a third-party site may sound not scary to you, but I envision at least two types of attacks that can lead to very serious consequences: hackers can gain access to the admin area of your blog and to your whole site. (Plus one type that is just annoying)
Attack #1: PhishingAs you know, when you sign in to WordPress admin area, the first screen you see is the Dashboard. And the Dashboard screen contains the Recent Comments section that displays latest comments. If any of those comment has a specially crafted comment author’s URL, you will be redirected to a third party site before the whole Dashboard is completely loaded.
This third-party site can display a standard WordPress login screen (They all look the same, so if you don’t check the URL in your browser’s address bar you won’t detect the substitution) telling you to try again. Unsuspecting users will enter their credentials again. Hackers will harvest them and redirect the user back to the original admin area. If the XSS code is properly crafted, some users won’t even know that they have just given their blog credentials to criminals.
By the way, another path to the admin area is to click on the “Approve/Delete/Spam” links in the WordPress notification emails. This way you are also exposed to the attack right after you sign in.
Dear WordPress developers, please make the login screen skinable. This way bloggers will be able to recognize “alien” login screens that use incorrect themes.
Attack #2: Malware.The third-party site may not require your passwords. Instead it will try to take advantage of your browser’s vulnerabilities (at this moment IE has a known unpatched security hole and older versions of other browsers may be vulnerable too) and silently install malware on your local computer. Among other nasty things, trojans scan infected computers and steal stored FTP credentials (for example, FileZilla stores them in plain text in xml files), that will be used to compromise your web site. This is the most “popular” vector of hacking web sites this year.
There are also other ways to exploit this XSS vulnerability. Their consequences may be less dangerous but still very annoying.
Attack #3: SPAMEvery time you sign into the Blog admin or manage comments you’ll get redirected to some “prescription drug” site.
Before you upgrade…So it’s time to upgrade. Right? But wait! What if malicious comments are already waiting for you in the admin area, and when you sign in to take advantage of the WordPress automatic upgrade tool, you will be exposed to the XSS attack?
Safe way to upgradeIf you don’t want to be exposed to any risks, you should upgrade WordPress before you sign in to the admin area.
The most obvious way to do it is the manual upgrade. You must be familiar with it if you’ve lived in the pre-2.7 era.Another way (probably the most easiest of them all and at the same time the most techie way) is to upgrade using Subversion.If the manual upgrade is not your coup of tea, make sure your web browser can withstand XSS attacks. I suggest that you use the latest version of Firefox (3.5.1 currently) along with the NoScript extension that has a very good anti-XSS protection. If you use other browsers, disable JavaScript before you sign in and don’t enable it until you reach the Tools->Upgrade pageI hope this post has given you some basic understanding of security implications of unpatched XSS vulnerabilities in the Wordpress admin area. Now you know why you should upgrade and how to do it the right way.
Keep your site secure.
Similar posts:
Vulnerability Advisories for Third-Party ScriptsFuture of Secure Web BrowsingIf you like this blog you might also find my free website security tool called Unmask Parasites useful.
If you need my help to resolve your site security issues, you can request it here.Tags: NoScript Phishing WordPress XSS « Future of Secure Web Browsing Goscanpark: 13 Facts About Malicious Server-Wide Meta Redirects. » Reader's Comments (4)
UnderForge of Lack » Blog Archive » 2009.07.21 連休の後・・・ | 20 Jul 2009 11:19 pm [...] もう少し詳しい解説: [...]
Gary | 24 Jul 2009 1:36 am Thanks for explaining the XSS vulnerability (Wordpress.org certainly didn’t describe the vulnerability in enought detail).
Critical Wordpress Update « Radkitten | 25 Jul 2009 9:09 pm [...] A few clients have come to me recently to let me know that their site has been hacked. They all run Wordpress on their site but were unaware of the critical update that stopped users from injecting code into your pages. I’ve found a site that explains this all very well, so check out the article at Unmask Parasites. [...]
Jason | 28 Jul 2009 6:32 pm This is good to know, thanks.
My little WP modification is to make a new version of wp-admin/images/login-logo.gif with my logo in it. It’s not time-consuming to re-upload it every time I upgrade. It’s good for branding and (knowing this vulnerability) I’ll use it to pay closer attention to whether or not I’m actually on my site.
About this blogOccasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
This blog in the news
Get free updates: RSS Email Twitter G+
Recent PostsThe Crocodile Hunter Meets Badware in the Wild Malicious Apache Module Injects Iframes RFI: Server-wide iframe injections RunForestRun Now Encrypts Legitimate JS Files What’s in your wp-head? Millions of Website Passwords Stored in Plain Text in Plesk Panel Runforestrun and Pseudo Random Domains CategoriesGeneral (19)Hosting+Security (5)Short Attack Reviews (13)Tips and Tricks (14)Tweet Week (83)Unmask Parasites (12)Website exploits (78)Recent CommentsDIY malicious domain name registering service spotted in the wild « Webroot Threat Blog – Internet Security Threat Updates from Around the World on Lorem Ipsum and Twitter Trends in MalwareHans Bonini on Runforestrun and Pseudo Random DomainsAgain with the “Wordpress Isn’t Secure” Meme | All Things Cahill on Careless Webmasters as WordPress Hosting Providers for SpammersDealing with WordPress Malware | Sucuri Blog on Malicious Apache Module Injects IframesCode obfuscation « ..::Mendel's Weblog::.. on Runforestrun and Pseudo Random DomainsadvertisementHas your website been hacked?We're here to help you get back up and running with minimal downtime! Call us now at 1-800-639-6442
www.HackRepair.com © Unmask Parasites. Blog. / Design: Smashing Wordpress Themes View the Original article
0 comments:
Post a Comment