WordPress 1.5.1.3 Remote Access Exploit

Filed in: Security, WordPress — August 12th, 2005

A vulnerability found in current WordPress (version 1.5.1.3) that open to remote attacks.

A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.

[ Read ]

Solution?
Set PHP register_globals to off (refer to uzyn’s comment), or upgrade to 1.5.1.4(not available yet?).

[ Thanks, ahkiong ]

What do you think? 25 Responses to “WordPress 1.5.1.3 Remote Access Exploit”

Comments Feed |

TrackBack URL

#1
Mossie`Ol Chin Says:
August 12th, 2005 at 11:23 pm
mmmm….. not good man…. but i thought the WP community has always been lip-tight about any problem till they are fixed and released… why this time?
#2
LcF Says:
August 12th, 2005 at 11:38 pm
I think wordpress team need few days to fully test the new patch before release.
#3
uzyn Says:
August 13th, 2005 at 2:06 am
It seems to me like your blog is vulnerable.

Just a warning.
#4
LcF Says:
August 13th, 2005 at 2:19 am
Ya, you see, nothing much I can do about it.
#5
uzyn Says:
August 13th, 2005 at 2:23 am
You can turn off register_globals on your account.

Create php.ini:
Include this line:
register_globals = Off

and dump it into your root folder

If that doesn’t work, try ths .htaccess way:
add this line to your .htaccess
php_flag register_globals off

that should work. Which method works depend on how your host set it.

A little bit of advice from me.

I did a little tests and most malaysian blogs are vulnerable. (in fact i have not found any invulerable ones).
#6
uzyn Says:
August 13th, 2005 at 2:24 am
Just another advice, when you know that your site is vulnerable, you don’t post code for people to hack your own site.

That’s like leaving your house key at the door knob.
#7
LcF Says:
August 13th, 2005 at 2:39 am
thank you for the advice. I was only want to make more people aware of it. Now I think many WP blogger will be protected because of your tips. Thank you.
#8
uzyn.com Says:
August 13th, 2005 at 2:50 am
Wordpress Exploit: How to Secure Yourself

There’s a newly discovered Wordpress exploit that the Wordpress team did not get in time to fix yet. Basically, what that means is that virtually almost all Wordpress-powered blogs are vulnerable to the attack.
RTFA, there’s even the cod…
#9
uzyn Says:
August 13th, 2005 at 2:55 am
Err… if you don’t mind… my name is uzyn. not uync.

Thanks.
#10
geckoseiya Says:
August 13th, 2005 at 6:19 am
LOL
#11
ahkiong Says:
August 13th, 2005 at 8:16 am
Less poeple would know how to use Linux but probably out there, some will do it. The exploit could only be run from either any sort of linux console. Perl *.php http://*.com /dir port “uname -a” and seems like LiewCF website is fine from here. There are no available vulnerable i guess.
#12
uzyn Says:
August 13th, 2005 at 8:31 am
Yup. He’s just secured it.

The exploit is not just Linux only. Those are just means to pass in variables.

I’m doing it from a Windows box.
#13
LcF Says:
August 13th, 2005 at 11:03 am
Err… if you don’t mind… my name is uzyn. not uync.

Sorry, corrected.
#14
ahkiong Says:
August 13th, 2005 at 11:46 am
Yeah can be done from windows box if you does have a shell account.
#15
pandaboy Says:
August 13th, 2005 at 12:11 pm
I found this via Blogsome forum:

“There is an exploit for Wordpress up and including to 1.5.1.3 out in the wild, which works on webservers with enabled register_globals..

The quick fix is to place

unset($wp_filter);

in index.php at the very top, right after

Link: http://www.blogsome.com/forum/viewtopic.php?t=1039

Sounds like an easier approach, what do you think?
#16
uzyn Says:
August 13th, 2005 at 1:13 pm
Yeah can be done from windows box if you does have a shell account.

I did it without any shell account or whatsoever.

Directly from my PC, not virtually through other Linux box.
#17
LcF Says:
August 13th, 2005 at 1:34 pm
The quick fix is to place

unset($wp_filter);

I will still goto turn off register_globals. However, the quick fix is good if you are running other web script that required register_global ON.
#18
Edrei Says:
August 13th, 2005 at 11:01 pm
Well…that actually have come up with a fix a while ago. I don’t know why Matt hasn’t released the new version yet.

The fix can be found here

Sorry you guys had to go through the trouble of fixing it. Next time tell me and I’ll give the heads up direct from the WP peeps.
#19
LcF Says:
August 14th, 2005 at 12:57 am
Thank you, Edrei.
#20
My Other Side of the Stories » » Wordpress v1.5.1.3 Exploit Says:
August 14th, 2005 at 6:31 pm
[...] If you’re using Wordpress v1.5.1.3, you should aware of the latest exploit found on this latest Wordpress version. SecuriTeam posted this exploit on August 10th, as quoted below (via LiewCF): A vulnerability in WordPress’s handling of incoming cookie information allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On. [...]
#21
gilachess Says:
August 14th, 2005 at 8:30 pm
Ha ha.. I reported this hack and vulnerability at least 2-3 weeks ago but got nobody’s attention. Some people even questioned me how their beloved WordPress could possibly have any security holes in it.

Well now I’m vindicated.

Anyway I’ve also removed PHPRPC modules from my postnuke as well as my WordPress installation.
#22
Mark J Says:
August 14th, 2005 at 9:55 pm
Info on patching the vulnerability here. The hole has been plugged, and a 1.5.2 release should be coming out shortly.
#23
James Says:
August 17th, 2005 at 6:01 pm
update wordpress to the latest version fixes the problem
#24
Schleifstein.net » Blog Archive » more hack fixes Says:
February 8th, 2006 at 11:09 pm
[...] my info on wordpress 1.5 vunerability [...]
#25
Amir Schricker > Blog Archive > How to Turn register_globals Off Says:
April 16th, 2006 at 1:12 pm
[...] I have to give credit to this site for telling me how: [...]