WordPress 1.5.1.3 Remote Access Exploit

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

WordPress 1.5.1.3 Remote Access Exploit

Filed in: Security, WordPress — August 12th, 2005

A vulnerability found in current WordPress (version 1.5.1.3) that open to remote attacks.

A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.

[ Read ]

Solution?
Set PHP register_globals to off (refer to uzyn’s comment), or upgrade to 1.5.1.4(not available yet?).

[ Thanks, ahkiong ]

Mossie`Ol Chin
mmmm..... not good man.... but i thought the WP community has always been lip-tight about any problem till they are fixed and released... why this time?

LcF
I think wordpress team need few days to fully test the new patch before release.

uzyn
It seems to me like your blog is vulnerable. :)

Just a warning.

LcF
Ya, you see, nothing much I can do about it.

uzyn
You can turn off register_globals on your account.

Create php.ini:
Include this line:
register_globals = Off

and dump it into your root folder

If that doesn't work, try ths .htaccess way:
add this line to your .htaccess
php_flag register_globals off

that should work. Which method works depend on how your host set it.

:)

A little bit of advice from me.

I did a little tests and most malaysian blogs are vulnerable. (in fact i have not found any invulerable ones).

uzyn
Just another advice, when you know that your site is vulnerable, you don't post code for people to hack your own site.

That's like leaving your house key at the door knob.

LcF
thank you for the advice. I was only want to make more people aware of it. Now I think many WP blogger will be protected because of your tips. Thank you. :)

uzyn
Err... if you don't mind... my name is uzyn. not uync.

Thanks.

geckoseiya
LOL

ahkiong
Less poeple would know how to use Linux but probably out there, some will do it. The exploit could only be run from either any sort of linux console. Perl *.php http://*.com /dir port "uname -a" and seems like LiewCF website is fine from here. There are no available vulnerable i guess.

uzyn
Yup. He's just secured it.

The exploit is not just Linux only. Those are just means to pass in variables.

I'm doing it from a Windows box.

LcF
Err… if you don’t mind… my name is uzyn. not uync.

Sorry, corrected.

ahkiong
Yeah can be done from windows box if you does have a shell account.

pandaboy
I found this via Blogsome forum:

"There is an exploit for Wordpress up and including to 1.5.1.3 out in the wild, which works on webservers with enabled register_globals..

The quick fix is to place

unset($wp_filter);

in index.php at the very top, right after

Link: http://www.blogsome.com/forum/viewtopic.php?t=1039

Sounds like an easier approach, what do you think?

uzyn
Yeah can be done from windows box if you does have a shell account.

I did it without any shell account or whatsoever.

Directly from my PC, not virtually through other Linux box.

LcF
The quick fix is to place

unset($wp_filter);
I will still goto turn off register_globals. However, the quick fix is good if you are running other web script that required register_global ON.

Edrei
Well...that actually have come up with a fix a while ago. I don't know why Matt hasn't released the new version yet.

The fix can be found here

Sorry you guys had to go through the trouble of fixing it. Next time tell me and I'll give the heads up direct from the WP peeps. :)

LcF
Thank you, Edrei. :)

gilachess
Ha ha.. I reported this hack and vulnerability at least 2-3 weeks ago but got nobody's attention. Some people even questioned me how their beloved WordPress could possibly have any security holes in it.

Well now I'm vindicated. :)

Anyway I've also removed PHPRPC modules from my postnuke as well as my WordPress installation.