Alex Concha

Posts Mentioning RSS Toggle Comment Threads | Atajos de Teclado

• 

  alex 9:28 am on September 25, 2007 Enlace permanente | Responder
  Tags: backup, backup plugin, BlogSecurity, plugin, security (4), wordpress (4)   

  Insecure Way to Upgrade to WordPress 2.3 

  As you may already know, WordPress 2.3 has been released yesterday and many folks around the world are sharing their upgrade experiences. The one that caught my attention was the “5 Step Failsafe upgrade for WordPress” published at BlogSecurity.

  Not offense intended but I wonder why a blog dedicated to security recommends an insecure backup plugin that can allow anyone to download database backups or any file from the file system.

  If you are planning to upgrade your WordPress blog, just try to do manual steps because many backup plugins are very insecure — if you still want to use some of them, deactivate it when the upgrade process is completed.

  BackUpWordPress 0.4.4 security fix | WordPress Designpraxis, Roland Rust, alex and one other person are discussing. Toggle Comments

   
  • 

    David Kierznowski 10:43 am on September 25, 2007 Enlace permanente

    Alex, why am I not surprised you have another vulnerability to share
    Is the vul public?

  • 

    alex 11:32 am on September 25, 2007 Enlace permanente

    David, is not public yet, however I do not plan to write any advisory.

  • 

    David Kierznowski 1:08 pm on September 25, 2007 Enlace permanente

    I hope you keep us in the loop champ! I think BlogSec may even sponsor this plugin, it may have some bugs, buts its an absolutely awesome project!

  • 

    Roland Rust 12:32 am on September 26, 2007 Enlace permanente

    Alex, BackUpWordPress is a beta release, I haven’t had too much support from experienced WordPress users until now. Please tell me more about the vulnerabilities you find in the plugin. Thanks a lot in advace!

  • 

    Roland Rust 2:48 am on September 26, 2007 Enlace permanente

    Alex, a bug-fix release of BackUpWordPress was released this moment. The plugin’s backup repository is now secured by .htaccess. I also have added capabilities to the Plugin, to allow the blog admin to download backup archives.
    Thans a lot for pointing out security issues in BackUpWordPress!

  • 

    alex 10:30 am on September 26, 2007 Enlace permanente

    Well done Roland!, I didn’t answer before because I was sleeping

  • 

    Roland Rust 3:55 pm on September 26, 2007 Enlace permanente

    Alex, I’m happy to see some WordPress core developers having a look at my plugins. I have set up a forum (http://wpforum.designpraxis.at/) for support, bug reports, troubleshooting etc., if you happen to run into more security issues with my stuff, please let me know!

  Responder Click here to cancel reply.

  Nombre (requerido)

  Email (requerido)

  Sitio web

   
• 

  alex 7:45 am on September 20, 2007 Enlace permanente | Responder
  Tags: supportsKeywords, tags, Windows Live Writer, wlwmanifest.xml, WordPress 2.3   

  Enable tag support on Windows Live Writer and WordPress 2.3 

  Update: Joseph Scott has made a better manifest file.

  As you may already know, WordPress 2.3 will have built-in tag support and to enable tags on Windows Live Writer you have to upload a manifest file to your blog’s root.

  xml:

  
  <manifest xmlns="http://schemas.microsoft.com/wlw/manifest/weblog">
  <options>
  <supportskeywords>Yes</supportskeywords>
  <supportsfileupload>Yes</supportsfileupload>
  <supportsextendedentries>Yes</supportsextendedentries>
  <supportscustomdate>Yes</supportscustomdate>
  <supportscategories>Yes</supportscategories>
  <supportscategoriesinline>Yes</supportscategoriesinline>
  <supportsmultiplecategories>Yes</supportsmultiplecategories>
  <supportshierarchicalcategories>Yes</supportshierarchicalcategories>
  <supportsnewcategories>Yes</supportsnewcategories>
  <supportsnewcategoriesinline>Yes</supportsnewcategoriesinline>
  <supportscommentpolicy>Yes</supportscommentpolicy>
  <supportspingpolicy>Yes</supportspingpolicy>
  <supportsauthor>Yes</supportsauthor>
  <supportsslug>Yes</supportsslug>
  <supportspassword>Yes</supportspassword>
  <supportsexcerpt>Yes</supportsexcerpt>
  <supportstrackbacks>Yes</supportstrackbacks>
  <supportspages>Yes</supportspages>
  <supportspageparent>Yes</supportspageparent>
  <supportspageorder>Yes</supportspageorder>
  <requiresxhtml>True</requiresxhtml>
  <supportsautoupdate>No</supportsautoupdate>
  </options>
  <weblog>
  <homepagelinktext>View your blog</homepagelinktext>
  <adminlinktext>Administer your blog</adminlinktext>
  <adminurl><!--[CDATA[
  {blog-homepage-url}wp-admin
  ]]--></adminurl></weblog></manifest>
  
  <posteditingurl><!--[CDATA[
  {blog-homepage-url}wp-admin/edit.php
  ]]--></posteditingurl>
   

  udin, Joseph Scott, and alex are discussing. Toggle Comments

   
  • 

    Joseph Scott 9:35 am on September 20, 2007 Enlace permanente

    With any luck we’ll be shipping a WLW manifest file with WordPress 2.3. I’m finishing up some items related to this right now.

  • 

    alex 10:04 am on September 20, 2007 Enlace permanente

    Joseph: It’d be cool!

    By the way, is there any plan to fix XMLRPC issues[1]?

    [1] http://comox.textdrive.com/pipermail/wp-hackers/2007-August/014128.html

  • 

    Joseph Scott 11:24 am on September 20, 2007 Enlace permanente

    Doesn’t look like it will make it into 2.3 after all, but you can get the files from this ticket:

    http://trac.wordpress.org/ticket/5023

    Once 2.3 is out the door I plan to spend some time cleaning up XML-RPC, including the issues you brought up in that email.

  • 

    udin 2:46 am on September 14, 2008 Enlace permanente

    Is this necessary with 2.6

• 

  alex 9:18 am on August 24, 2007 Enlace permanente | Responder
  Tags: exploits, security (4), sell exploits, wordpress (4)   

  Selling exploits 

  Today I received a mail from a guy who want to buy some exploits for WordPress.

  Hi. I have seen exploits for wordpress at milw0rm uploaded by you. If you have this kind of scripts for newer versions of wordpress i can buy them.

  I responded:

  Actually I only have one remote exploit for WordPress <= 2.2.2, it lets you retrieve user credentials from affected blogs. How much do you offer?

  Actually, I’m not interested in selling exploits because they can be used to compromise many vulnerable blogs — two years ago my Spanish blog was defaced in the same fashion, but I wonder how much cost WordPress exploits.

  Let’s see what he’ll respond

   
• 

  alex 10:09 am on August 6, 2007 Enlace permanente | Responder
  Tags: automattic, security (4), sql injection, stats, wordpress (4), wordpress.com, xmlrpc   

  SQL Injection in WordPress.com Stats plugin 

  Overview

  WordPress.com Stats is a plugin developed by Automattic, it lets self-hosted WordPress bloggers use the same traffic metrics system they provide to WordPress.com users. It tracks post and page views, referrers, search terms, and clicks on external links.

  While testing this plugin I found a critical SQL Injection vulnerability that may allow an attacker to retrieve credentials from any user of a WordPress blog — the attacker only needs to know a valid user ID.

  WordPress.com Stats 1.1 and previous versions are affected.

  Technical Details

  WordPress.com Stats plugin registers two new methods (wpStats.get_posts and wpStats.get_blog) on the WordPress XMLRPC server. The vulnerable method is wpStats.get_posts that interally maps to stats_get_posts.

  php:

  function stats_get_posts( $args ) {
  list( $post_ids ) = $args;
  
  $r = 'include=' . join(',', $post_ids);
  $posts = get_posts( $r );
  $_posts = array();
  
  foreach ( $post_ids as $post_id )
  $_posts[$post_id] = stats_get_post($post_id);
  
  return $_posts;
  }

  Due to the lack of validation in stats_get_posts, an attacker can prepare a special XMLRPC request to pass arbitrary parameters and values to get_posts method — it’s posible because get_posts can receive a query string as a parameter.

  get_posts accepts the following variables (defined in $defaults array).

  php:

  function get_posts($args) {
  global $wpdb;
  
  $defaults = array(
  'numberposts' => 5, 'offset' => 0,
  'category' => 0, 'orderby' => 'post_date',
  'order' => 'DESC', 'include' => '',
  'exclude' => '', 'meta_key' => '',
  'meta_value' =>'', 'post_type' => 'post',
  'post_status' => 'publish', 'post_parent' => 0
  );
  $r = wp_parse_args( $args, $defaults );
  extract( $r, EXTR_SKIP );
  
  ...
  }

  An attacker can prepare a special XMLRPC call to exploit the vulnerability:

  code:

  &meta_key=%27) SQL INJECTION HERE/*&meta_value=1

  Solution

  Upgrade to the latest version or apply the following patch to avoid SQL Injection attacks on WordPress.com Stats plugin.

  diff:

  Index: stats.php
  ===================================================================
  --- stats.php   (revision 15884)
  +++ stats.php   (working copy)
  @@ -233,6 +233,7 @@
  function stats_get_posts( $args ) {
  list( $post_ids ) = $args;
  
  +       $post_ids = array_map( 'intval', (array) $post_ids );
  $r = 'include=' . join(',', $post_ids);
  $posts = get_posts( $r );
  $_posts = array();
   

  Cash Advance is discussing. Toggle Comments

   
  • 

    Cash Advance 12:41 pm on September 19, 2007 Enlace permanente

    Superb write up talking about Alex Concha. I love your posts.

• 

  alex 11:50 pm on July 17, 2007 Enlace permanente | Responder
  Tags: gpl, green lite, themes, wordpress (4)   

  Green Lite WordPress theme modified 

  In this blog I’m using a custom version of the nice Green Lite theme, since it is a GPL theme, I’m releasing the modified version for everyone who wants it.

  I’ve made slight modifications on CSS and HTML structure (I’m not a web designer) and translated most of the italian words that are present in many files — because of the new color scheme in my version, it seems that Green Lite is no longer a suitable name