Attacks against WordPress installations

By Jake Edge
September 9, 2009

The WordPress content management system (CMS) has been in the news lately—for reasons the project and its users would probably rather not see—as there have been a rash of attacks against older versions of WordPress. At least one high-profile blogger, Robert Scoble, succumbed to the attack, posting that he no longer felt safe with WordPress. Various others also piled on, but the problem that was being exploited had been fixed in early August; the affected sites just hadn't upgraded.

Keeping up with security updates can be time-consuming, especially for relatively non-technical users who are hosting a CMS site simply to provide themselves a place to blog. One could easily argue that those kinds of users would be best served by using one of the free services available for such things. But, those services tend to have fewer features—often to encourage upgrading to a subscription-based support plan—leaving bloggers who want the latest shiny features to host WordPress (or other similar CMS programs) themselves.

At least for WordPress, many of those shiny features come as plugins to the CMS engine. When security updates are made, changes required for the plugins may very well lag behind. Even if the upgrade wouldn't affect the plugins at all, concerns over that happening led various folks, including Scoble, to wait a while before upgrading:

I wanted to run my own blog. Mostly so I could use various plugins and play around. I didn't realize that Wordpress had major holes in it. I figured that since it was several years old that the nasties had been found and removed and that it wasn't so brittle. Turns out my assumptions were wrong. I was also overly scared of upgrades, because of how software works.

In the comments on Scoble's blog posting (where the above quote comes from), as well as in a conversation on his FriendFeed, it is clear that numerous other folks have run into similar problems with attacks as well as issues with upgrades. WordPress developer Matt Mullenweg has numerous comments on Scoble's complaints, and his suggestions are fairly obvious: update immediately when there are outstanding security patches and, if that's not possible, consider moving to a managed provider (possibly WordPress.com, the commercial side of WordPress development).

Mullenweg's advice is good, but it would also seem that the WordPress project could be doing more to highlight security issues. The project home page lacks obvious links for security information—though it currently has a link to Mullenweg's How to Keep WordPress Secure posting—and searching for "security" on the site does not bring up any centralized location for that kind of information. It is probably just an oversight, but even the "Security" category on the WordPress blog does not contain the 2.8.3 announcement, which is the release that fixes the problem being exploited.

For a new, or casual, WordPress user, it would certainly seem possible that they might miss these security announcements. The WordPress software will alert the user that there are updates available—and there is an email list for new release notification—but there numerous ways to add content to a WordPress blog without logging into the administrative interface, so the alerts may be missed. It's clear that Mullenweg takes security seriously based on his comments, but that message may not be getting out to the WordPress faithful.

The actual bug that is being exploited is a run-of-the-mill privilege escalation flaw. While the bug itself may be pedestrian, the consequences are not, as Scoble and others found. Scoble's situation was exacerbated by not having any backups (!), but the bigger problem is how to get the system back to a "safe" state after it has been exploited. Depending on how WordPress was installed, the only safe way to restore a cracked system may be to reinstall the entire operating system. These kinds of attacks can leave various back doors behind that stay active even after WordPress itself has been upgraded.

The point is not to pick on WordPress, or even CMS programs in general, but to note a general problem. There is a tension between the fear of upgrading and the fear of an attack, and many users fear the former much more than the latter. WordPress has made great strides in simplifying the upgrade process, but it still has the potential to break things—especially in plugins that are completely outside of the project's control. As it turns out, the privilege escalation vulnerability was related to how certain plugins' administration pages were handled.

Web application security is hard. It is harder still when trying to create a general purpose web application platform, particularly one that allows plugins to fairly arbitrarily change its behavior. This is certainly not the last attack against WordPress or CMS programs that we will see. It is definitely in the best interest of these projects and their users to pay close attention to security issues as they arise.

Index entries for this article
Security	Vulnerabilities/Privilege escalation
Security	Web application flaws

to post comments

Providing services is a profession

Posted Sep 10, 2009 12:21 UTC (Thu) by NAR (subscriber, #1313) [Link] (7 responses)

There's an other general problem - non-competent people running services on the internet. To open a "real world" shop, the owner has to go through a lot of hoops (e.g. fire department check, health department check) to prove (s)he can handle the shop. On the other hand on the internet anyone can provide a service, even if (s)he is clearly not compenent enough. Providing services is a serious profession, if amateurs (in the bad sense) are doing this, combined with buggy software we end up with worms.

Providing services is a profession

Posted Sep 10, 2009 20:18 UTC (Thu) by bfields (subscriber, #19510) [Link] (6 responses)

Similar problems happen on the client side--web clients have vulnerabilities, they're exploited, people don't always upgrade when they should, plugins are a problem. I don't think it helps to focus on services in particular.

Also, setting up something like Wordpress and keeping it upgraded shouldn't be rocket science. Maybe distributors could help. (I'm not sure why this sort of thing seems to so frequently be managed by hand as opposed to installed from distro packages--fixing that might help.)

Providing services is a profession

Posted Sep 10, 2009 21:03 UTC (Thu) by elanthis (guest, #6227) [Link] (5 responses)

Because packages put stuff in specific directories. If you had a WordPress package, it would install to something like /var/www/wordpress. But lo and behold, you host two sites, so you put them in /var/www/site1.com and /var/www/site2.com. Or maybe in home directories. Or wherever. So now the packages are useless.

The Linux software packaging model is a joke for anything other than one-off appliances and hardcore nerds who have no life and want to babysit their computers. For all the headaches the Windows software installation CAN cause, out in the real world with real users, it causes very few headaches. It just works. And since the installers there let you pick any installation directory (usually) it's easier to have multiple copies of a piece of software and still have it tracked by the Windows "packaging" service.

The only thing the Windows model lacks that the Linux model has is a unified software update facility, but that is very much an easy to solve problem if anybody actually bothered to try. Instead, though, the Linux people stick with their pre-packaged pre-configured pre-mandated per-distro per-version fixed-everything packaging model. And real users suffer when they use Linux while the nerds go on and on about how easy it is to install and manage software... so long as you only need the software that was packaged for your distro, don't need newer versions of software which are only packaged for the latest version of your distro, don't mind updating every last component of your OS every 6 months and getting a ton of all new bugs and UI changes just in order to get the one or two bugs you needed fixed, and don't mind having insanely difficult installation procedures for inherently unpackagable software like commercial games that have gigabytes of data to install to disk.

But hey, this is 10th year that it's the Year of the Linux Desktop, so clearly users are all going to convert over finally despite Linux developers still refusing to solve one of the fundamental problems real users have with Linux.

(And yes, this is a real user problem. I used to be one of those "get everyone I know to use Linux" people. Then I found out that real people want to do things like install games and such without having to open up a fucking terminal and figuring out arcane magic commands to install it, and then do it over again with every game patch, when they could have been using all that time just playing the damn game, playing a sport outside, getting laid, etc.)

Providing services is a profession

Posted Sep 10, 2009 22:41 UTC (Thu) by sergey (guest, #31763) [Link]

"Classic" Windows software relies on registry for configuration, in a way that makes keeping
code in multiple locations on disk rather useless. What you are referring to, a way to drop an
application in a directory and make it work, is specific to Web apps and is perfectly
acceptable in Windows and Linux alike. A well-written Web application would rely on Linux
packaging model to keep a single code base that processes multiple sites, so that one could
update the code (application) without touching the data (all these sites). In Windows world,
application has nothing to rely on, the developer has to give you a way to centralize
updates, or not (making it your problem). With .NET Microsoft reversed the "use registry for
configuration" policy and recommends keeping it in files, making it a little more like any *NIX
in configuration aspect. But .NET still doesn't have any packaging functionality whatsoever,
and for security updates for any non-Microsoft applications you're still on your own.

What happens more often is that one does drop their applications into their home folder on a
provider's shared hosting box, and think that somehow they are not responsible for
maintaining it. Some developers are really good at facilitating this maintenace (example:
Gallery 2), others... Not so much. This is actually a good example for Linux packaging
approach, not against it.

Installing packages or updating is not a profession

Posted Sep 13, 2009 20:57 UTC (Sun) by man_ls (guest, #15091) [Link] (2 responses)

Ubuntu uses the Synaptic package manager, and it works pretty well. Updating your machine is not hard to do, and nobody forces you to upgrade the whole distro every 6 months -- you can pick up an LTS and go with it for two years. Even better, it's free. You can do mostly the same with Debian, and I'm sure that other distros have their own graphical tools.

On Windows you have a plethora of software packages which want to update at random moments in time, need to run a package updater all the time -- or just when they feel like it. Guess what: most of it just goes without updates indefinitely. Including Windows itself, which is so obnoxious auto-updating that people just try to disable or ignore it. The result is that the typical Windows installation has a plethora of worms, Trojans and viruses fighting each other for supremacy.

One model is best for software integrated in the distro. (Big surprise, distributions are better for distributed software.) The other model is better for installing random garbage from the web -- including all kinds of malware. (If people want to play games my advice is to get a console.) This is not a justification, we all know that the problem of installing external software on GNU/Linux is not solved. But Windows is most definitely not an example to follow. Now, if we could learn a thing or two from Mac OS X...

Installing packages or updating is not a profession

Posted Sep 14, 2009 17:33 UTC (Mon) by NAR (subscriber, #1313) [Link] (1 responses)

I think you didn't understand the problem. Not the "Updating your machine" is the problem - the problem is that new versions of applications tend to introduce new bugs (or trigger old ones). Just think about the headache pulseaudio caused. The problem of Linux software management is that if I want a new version of e.g. pidgin, because it supports a new protocol, I need to upgrade the whole distribution, which will install pulseaudio (among other stuff), so I won't have sound. This happens even when I had absolutely no intention of going anywhere near pulseaudio.

The hardcore Linux-advocate's answer would be that in this case grab the code, compile and install, but it's definitely not as easy as clicking "Next -> Next -> Finish" and then the advantage of package management is lost (no automatic security fixes, no warning if a used library gets updated with some incomtaible code, etc.). The Windows solution might be uglier on the inside, might contain lots of duplicated libraries installed - but works, and that's what the user cares. Of course, until the FOSS developers treat their users as beta-testers, then noone should care about things like this, but this road doesn't lead to world domination.

Installing packages or updating is not a profession

Posted Sep 14, 2009 21:08 UTC (Mon) by man_ls (guest, #15091) [Link]

But that's not a problem -- it's a known trade-off, and GNU/Linux distributors have chosen one path. Nobody forces you to use a distributor -- in fact you might just compile everything statically and upgrade each bit independently. But nobody has chosen that path, because of the enormous waste and bloat. And also because, as the number of copies of a library grows, the probability that all of them are upgraded when a security hole is found approaches zero. Especially given that most of those programs cannot be upgraded automatically, and if users had to pay attention to all those upgrades they would do little else in their lives. The result? Tons of malware.

The Windows solution does not work IMHO. World domination yes, but at what price?

Providing services is a profession

Posted Sep 14, 2009 19:26 UTC (Mon) by bfields (subscriber, #19510) [Link]

If you had a WordPress package, it would install to something like /var/www/wordpress. But lo and behold, you host two sites, so you put them in /var/www/site1.com and /var/www/site2.com

Requiring multiple physical copies of the same code in order to run multiple instances is rather silly.

If you insist on doing it that way, then yes, distro packages will be hard to use--but, then, *any* sort of upgrading will be hard in an environment where you're scattering random php code all over the filesystem.

Attacks against WordPress installations

Posted Sep 10, 2009 13:02 UTC (Thu) by pointwood (guest, #2814) [Link]

"I figured that since it was several years old that the nasties had been found and removed and that it wasn't so brittle."

Just like Windows or many other pieces of software, being several years old, never needs any security updates :p

Attacks against WordPress installations

Posted Sep 10, 2009 13:42 UTC (Thu) by Cato (guest, #7643) [Link]

Part of the problem is that WordPress doesn't distinguish between security updates and new releases - often the only easy fix is to upgrade, or in some cases to take a single file from a new release. WordPress could really do with a more formal security alert process and support model, stating that one or two WP release trains are supported for security updates for a certain amount of time, and providing patches for security only, rather than requiring a full upgrade.

Attacks against WordPress installations

Posted Sep 11, 2009 12:17 UTC (Fri) by job (guest, #670) [Link] (1 responses)

Also, Wordpress could help the situation by not being in a constant state of suck.

Wordpress, Drupal and Joomla should be the poster boys of the free software revolution. They do real work for real people and they do it better than software for tens of thousands of dollars does. So why do they have to so dreadfully riddled with security problems?

Part of the problem is PHP. I've had the misfortune of using the common web mail frontends in the language and they've all had critical holes in them as well. So why do so few other languages, with the exception of Perl which has some excellent blogging and mailing software, reach the critical mass of developers?

Is the situation beyond repair? Will it plague the web forever?

Attacks against WordPress installations

Posted Sep 14, 2009 8:28 UTC (Mon) by yodermk (subscriber, #3803) [Link]

Agree completely. PHP can be made somewhat secure (by disabling stuff like register_globals and allow_url_fopen, and making sure that no directories are writable by Apache) but other languages seem much more secure.

Java (with Tomcat, Glassfish, etc) does seem to be gaining. That should help a lot.

Same with Python, with Django & such. And of course Rails.

I work in a managed web server environment, and I see PHP cracks all the time. I don't recall personally seeing any of the alternatives cracked.

Another idea that I think makes tons of sense for this kind of thing is privilege separation at the database level. Why does the application's DB user have full rights to the database? The answer is simple -- so it can integrate the admin interface and upgrade features, etc. But that is stupid. IMHO the user-facing Apache's DB user should have as few privileges as possible. Admin should be done another way, with a dedicated DB user for that, maybe connecting from a desktop application at the client's end (with appropriate firewalls in place to be sure no one else can attempt to connect). Maybe less convenient but MUCH more secure.