making bbPress (and WordPress) work better!

WP security

Suhosin comes back from the dead, bringing security to newest PHP versions


While everyone has been distracted admiring PHP-NG, a great PHP project has quietly come back from the dead – Suhosin !

Suhosin is a well regarded security extension for PHP by Stefan Esser that had stopped getting updates after PHP 5.3. Perhaps it was due to more dramatic internal changes to the PHP core with 5.4 making it difficult to keep up. Linux distributions such as Debian that added Suhosin seeing its value, dropped it after updates stopped. Suhosin only worked up to PHP 5.3 – until now.

Suhosin can do neat tricks like disable EVAL and the regex /e modifier in PHP which the core of PHP cannot do by itself (or more accurately the core developers refuse to address). Suhosin also has many other options to help make PHP safer to use in a shared environment or where a server might be running a great deal of third-party code (ie. WordPress/plugins).

All I want for Xmas is Suhosin for PHP 5.4

I recently tried PHP 5.4.8 on a production server and the memory-use decrease and performance increase was outstanding over PHP 5.2/5.3, truly impressive.

However despite the thrill, I had to roll back to PHP 5.3 after a couple days. Why? Not because of compatibility, there were only a couple of relatively easy to fix issues. Because it felt like we were running around naked without Suhosin which no longer works after PHP 5.3

Stefan Esser seems to have gone idle on updates for PHP 5.4, there was only an initial dev release several months ago (0.9.34-dev) and nothing since.

So I am calling on the “titans of industry” to make a donation to Stefan with a note encouraging him to continue the development for PHP 5.4 There seems to be a donation link here and I found another one here

If you aren’t running PHP 5.4 yet, you should be soon. Meanwhile those on PHP 5.3 who are not running the Suhosin extension should definitely install it. You can easily find php.ini tuning guides for suhosin around the web (specifically for WordPress too). It might save your server someday from being compromised by a 0-day.

every WordPress install vulnerable to new security hack

Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it: : WordPress Privileges Unchecked

It’s just mind boggling that the WordPress people:

1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs

bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune

added 7/13

I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.

The problem seems to be this line in admin.php

include(ABSPATH . PLUGINDIR . "/$plugin_page");

Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:

if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));

This only allows Authors and above to use plugins via the admin menu.

The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.

babloo/blyat spammer attack on many WordPress blogs

wp-attack-256 I’ve learned recently that a number of WordPress powered blogs (including xkcd) were hit by some kind of spammer attack (bablooO aka babloo-O).

It injected many spam links into the database before the “read more” part of a post.

I am trying to figure out how this happened so it can be prevented from happening again, if it’s a plugin vulnerability or from WP’s xmlrpc.

So if anyone has more details please let me know. I do know it was not tied to any specific version, I have found the signature on WP 2.3 2.5 2.7 & 2.7.1

(sometimes the signature says “blyat” instead of “babloo”)

Movabletype doesn’t report security issues

Every so often I come across a comment on the web about how Movabletype “doesn’t have the security issues” that WordPress does, which really annoys me. No one likes bugs but to be misinformed about security is wrong.

The reality is this couldn’t be further from the truth – Movabletype has had at least three security issues this year but Movabletype is to blame for hiding/lying about the situation with no vulnerability reports and leaving people in the dark until they have a fix. So which is worse, warning people ahead of time there’s a vulnerability and not being petty about how it will make you look – or just not telling the users while the hackers already know how to exploit the problem?

Essentially no one researches Movabletype security vulnerabilities anymore – perhaps the user base has become too small, perhaps hackers aren’t even bothering because they can’t find sites using it worth hacking.

Want proof? It’s simple. Go to any site that tracks security vulnerability announcements. Here’s an example, securnia: (more…)