WordPress <=2.0.2 Severe Security Flaw

A severe shell-execution exploit has been released by rgod (rgod@autistici.org).

The vulnerability affects all versions of WordPress Blog System<=2.0.2.

The good news - the exploit works only for WordPress sites where the "Self User Registrration" (e.g. /wp-register) is enabled, so for now you can "patch" your system disabling the Self User Registration.

I ran some tests and it seems that the exploit really works fine. However if you are using some redirects to the User Profile section of your blog the exploit will not follow them and keep you from lamers that are trying to hack your server without understanding.

The exploit injects code in "cache/userlogins" files, where WordPress stores user infomration in cache files. On successfull exploit the intruder can launch arbitrary commands (with the webserver user) to the remote machine throught malicious URL. In addition the exploit creates a file called "suntzu.php" - a backdoor to your system.

We are waiting for the official patch from WordPress, but for now you SHOULD disable “User Self Registrations” !

Another Solution:
Restrict web access to the wp-content/cache/userlogins/ and wp-content/cache/users/ directories (e.g. with a .htaccess file)
Use this if you have untrusted users in your blog system.

Here’s the code: http://retrogod.altervista.org/wordpress_202_xpl.html

posted by peter on 05.26.06 @ 10:47 am |

Tags: , , , ,
Digg this story | Bookmark this post on del.icio.us

Serio Problema de seguridad para Wordpress

Parece ser que tenemos un problema de seguridad en wordpress y el sistema de registro de usuarios. Por el momento se recomenda deshabilitar el registro de usuarios nuevos.

By meneame.net on 05.26.06 11:06 am

Problema grave de seguridad en WordPress

Andaba yo precisamente pensando que hace mucho que no hay agujeros de seguridad en WordPress cuando leo que han encontrado uno relacionado con la creación de usuarios.

La mala noticia es que permite ejecutar comandos arbitrarios con el usuario del se…

By SigT on 05.26.06 11:29 pm

[…] Más información en inglés en Cafe Sofia. […]

By Problema de seguridad en Wordpress » The Estupendos on 05.31.06 12:51 am

[…] We talked about the security flaw in Wordpress here. Now there’s official release for this and other security issues available at Wordpress. […]

By Café Sofia » Wordpress 2.0.3 bug fix and security release, recommended for all WordPress users on 06.02.06 12:24 pm

I’ve just upgraded all my installs to 2.0.3 - is there confirmation that the latest version isn’t susceptible to this exploit?

I’ve been reading a number of other posts warning of the problem - from the last couple of days - and they don’t differentiate between versions.

Thanks.

By Brett Boxcutter on 07.28.06 3:59 am

WordPress has released a new version that fixes that bug (2.0.3) - more info can be found here - http://www.cafe-sofia.com/wordpress-203-bug-fix-and-security-release-recommended-for-all-wordpress-users/ 

By peter on 07.28.06 7:46 am

RSS feed for comments on this post.