msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Why is WordPress 2.8.2 a Critical Update?

   20 Jul 09   Filed in Tips and Tricks, Website exploits

WordPress has just released a security update.

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site

Unfortunately, the official blog didn’t mention that this upgrade is actually critical and why you should update ASAP. Let me explain this.

What is XSS vulnerability?

XSS (Cross-Site Scripting) is a security vulnerability that allows malicious users inject code into web pages viewed by other users. In case of this WordPress vulnerability, hackers can leave a comment specifying specially crafted URL in the “website” field of the comment form. When you open any web page in the admin area of your blog that displays this malicious comment (this may be the dashboard, the comments section and the specific post edit page), the code in the comment author’s URL is activated and you get automatically redirected to a third party site (as suggests the update release note).

Why is this serious?

Now that WordPress has disclosed the fact that versions prior to 2.8.2 have an XSS vulnerability, hackers will start searching for a way to exploit this vulnerability. It usually takes only a few hours to create an exploit and configure a botnet to start an attack.

Redirection from the admin to a third-party site may sound not scary to you, but I envision at least two types of attacks that can lead to very serious consequences: hackers can gain access to the admin area of your blog and to your whole site. (Plus one type that is just annoying)

Attack #1: Phishing

As you know, when you sign in to WordPress admin area, the first screen you see is the Dashboard. And the Dashboard screen contains the Recent Comments section that displays latest comments. If any of those comment has a specially crafted comment author’s URL, you will be redirected to a third party site before the whole Dashboard is completely loaded.

WordPress login screen

This third-party site can display a standard WordPress login screen (They all look the same, so if you don’t check the URL in your browser’s address bar you won’t detect the substitution) telling you to try again. Unsuspecting users will enter their credentials again. Hackers will harvest them and redirect the user back to the original admin area. If the XSS code is properly crafted, some users won’t even know that they have just given their blog credentials to criminals.

By the way, another path to the admin area is to click on the  “Approve/Delete/Spam” links in the WordPress notification emails. This way you are also exposed to the attack right after you sign in.

Dear WordPress developers, please make the login screen skinable. This way bloggers will be able to recognize “alien” login screens that use incorrect themes.

Attack #2: Malware.

The third-party site may not require your passwords. Instead it will try to take advantage of your browser’s vulnerabilities (at this moment IE has a known unpatched security hole and older versions of other browsers may be vulnerable too) and silently install malware on your local computer. Among other nasty things, trojans scan infected computers and steal stored FTP credentials (for example, FileZilla stores them in plain text in xml files), that will be used to compromise your web site. This is the most “popular” vector of hacking web sites this year.

There are also other ways to exploit this XSS vulnerability. Their consequences may be less dangerous but still very annoying.

Attack #3: SPAM

Every time you sign into the Blog admin or manage comments you’ll get redirected to some “prescription drug” site.

Before you upgrade…

So it’s time to upgrade. Right? But wait! What if malicious comments are already waiting for you in the admin area, and when you sign in to take advantage of the WordPress automatic upgrade tool, you will be exposed to the XSS attack?

Safe way to upgrade

If you don’t want to be exposed to any risks, you should upgrade WordPress before you sign in to the admin area.

  1. The most obvious way to do it is the manual upgrade. You must be familiar with it if you’ve lived in the pre-2.7 era.
  2. Another way (probably the most easiest of them all and at the same time the most techie way) is to upgrade using Subversion.
  3. If the manual upgrade is not your coup of tea, make sure your web browser can withstand XSS attacks. I suggest that you use the latest version of Firefox (3.5.1 currently) along with the NoScript extension that has a very good anti-XSS protection. If you use other browsers, disable JavaScript before you sign in and don’t enable it until you reach the Tools->Upgrade page

I hope this post has given you some basic understanding of security implications of unpatched XSS vulnerabilities in the WordPress admin area. Now you know why you should upgrade and how to do it the right way.

Keep your site secure.

Similar posts:

If you like this blog you might also find my free website security tool called Unmask Parasites useful.

Reader's Comments (4)

  1. |

    [...] もう少し詳しい解説: Why is WordPress 2.8.2 a Critical Update? [...]

  2. |

    Thanks for explaining the XSS vulnerability (WordPress.org certainly didn’t describe the vulnerability in enought detail).

  3. |

    [...] A few clients have come to me recently to let me know that their site has been hacked. They all run WordPress on their site but were unaware of the critical update that stopped users from injecting code into your pages. I’ve found a site that explains this all very well, so check out the article at Unmask Parasites. [...]

  4. |

    This is good to know, thanks.

    My little WP modification is to make a new version of wp-admin/images/login-logo.gif with my logo in it. It’s not time-consuming to re-upload it every time I upgrade. It’s good for branding and (knowing this vulnerability) I’ll use it to pay closer attention to whether or not I’m actually on my site.