Tag Archives: Security

SecurityFocus SQL Injection Bogus

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

Continue reading

Spammers Hack Blogs

Blog spammers have sunk to new lows.

Nivi Spam SourceNivi, a blog I’m subscribed to, was showing dozens and dozens of entries being updated even though there was no discernible difference. However as I started looking closer, I noticed if you view the source, for example on this post, there is are ton of spam links there. You can click the screenshot to the left.

The implications of this are disturbing. His blog was hacked (which isn’t unusual and could have been for a thousand reasons like another account on his server being hacked, and old version of phpBB or other software) but instead of doing anything obvious to disturb the content of the site they invisibly modified his posts using CSS-hidden text. He has probably had hundreds of posts modified. I can’t imagine cleaning it up will be pleasant.

AJAX and CSRF

When working on some new AJAX features for bbPress and WordPress we’ve noticed that AJAX requests don’t seem to send HTTP_REFERER values. We check referrers as one level of protection against cross-site-scripting, or XSS, so when they’re not set we aren’t able to use that value. How are most people using AJAX protecting against XSS? It seems the same things we’re doing to make things easily accesible in a dynamic fashion are also opening new vectors for attack.