making bbPress (and WordPress) work better!

every WordPress install vulnerable to new security hack

Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it: : WordPress Privileges Unchecked

It’s just mind boggling that the WordPress people:

1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs

bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune

added 7/13

I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.

The problem seems to be this line in admin.php

include(ABSPATH . PLUGINDIR . "/$plugin_page");

Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:

if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));

This only allows Authors and above to use plugins via the admin menu.

The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.

4 responses

  1. Your post title is inaccurate. In order to use this attack a person would need an account on your blog already.

    Have you been able to confirm that this was the method used by babloo/blyat? If so what plugin or chunk of code carried the exploit?

    July 13, 2009 at 1:10 pm

  2. Hi Joseph,

    The account would not need any special privileges, it can be a regular user, so:

    1. They make a regular user in an automated way (most WP installs rely on akismet and not any kind of captcha)

    2. They “scan” the WP install for plugins that WP will allow to escalate privileges until they find one that is enabled – one plugin that I seem to find mentioned across infected sites is “subscribe to comments” but there are likely others

    3. I assume the method is used by babloo/blyat because the security whitepaper specifically mentions xkcd on 6/18 which I know specifically was bablooo/blyat (based on google cache search results)

    4. babloo/blyat seems to only affect selected posts, not every single post, which leads me to believe they injected XSS javascript which waited for an admin or author to show up and edit (or maybe even just view) a post, then add their payload to the post.

    July 13, 2009 at 10:10 pm

  3. My point was that they would need an account on the blog. By default WordPress has user sign ups turned off and many WP installs stay that way, so saying that every WP install is vulnerable to anyone being able to launch this attack is not accurate.

    One thing that would be helpful to know is if all of the attacked sites had turned on user sign ups.

    July 14, 2009 at 1:50 pm

  4. Since I work mostly on the bbPress side for the past few years I am used to WordPress membership being active. I’d have to believe that with over a million WP installs out there, at least 50% have membership turned on.

    I just randomly checked a few of the sites that were hit (including xkcd) and they all have the register link active.

    July 14, 2009 at 10:32 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s