Hawk Enterprises

Some of the intelligent few have noticed that this is indeed a Wordpress blog. Some of you even try and login which is funny to see the wp-login.php in my 404s. Regardless I like to make sure I keep everything up-to-date. I don’t keep a wordpress version like 2.6.3 per say but I do my own custom changesets.

Sometimes I wonder whether the world is being run by smart people who are putting us on or by imbeciles who really mean it.
-Mark Twain

Today we examine the changes from Wordpress 2.6.2 to version Wordpress 2.6.3 and will point out the obvious issues with the previous version.

First I like to point you to the ChangeLog 2.6.3 for wordpress but more importantly the diff changset

On the wp-trac mailing there is always banter about the beloved snoopy class, but this one I must admit takes the cake. I haven’t gone back to see the entire threat but I will expose the idea as follows.

wp-includes/class-snoopy

1
2

	  var  $maxlength = 8192;  // old size
          var	$maxlength		=	50000;				// max return data length (body)

After seeing this any old school programmer would know exactly what the exploit was. For those still needing a clue however, it would be a buffer overflow. The maxlength variable obviously controls some type of stream length, otherwise we wouldn’t be seeing a change to a much large number. Is this move alot safer? Well I’m guessing they feel most apache servers limits are set around 51,089k file upload size on shared servers so this should be safe. We know better of course.

So lets take a detour aware the buffer overflow for a moment for one of my favorite security holes. The remote shell execution, or parameter injection.

1
2
3
4

	$safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
		exec(escapeshellcmd($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\""),$results,$return);
//----------------------The new and improved----------------------------		
		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);

As you can see safer_URI is being protected by a strtr of double-quotes before placing it into an execution on the sell level. Not only that it’s concatenated into a larger argument string for easy replacement and back-tick manoeuvrings. The new version looks much safer, however $headerfile, $cmdline_params are both un-secured and possibly over-rideable somewhere else in execution.

Back from execution, I mean programming execution…

Buffer overflow finally

1
2
3
4

/*while (!feof($fp)) {
	$file_content .= fread($fp, filesize($file_name));
}*/
$file_content = fread($fp, filesize($file_name));

There you have it, they went from a string concatenation to a straight assignment. Reason being once again the concate can be broken out of if the buffer gets overflowed and now you have access to execution of $file_content. Is this new fix safer, yes as far as we know assignment operations are considering non-threat. However I have a feeling I could write a 51 meg file to get around this issue, but then again who knows.

So there is a major problem with any wordpress version that runs a snoopy class of 1.2.3 or has these remote execution problems along with overflow issues. 2.6.3 solves this but I’m sure that this has been in wordpress for a while, I wouldn’t be surprised if press 2.0.

The rest of the diffs in the branch are just mistakes made by previous programmers, nothing a security threat just compatibility issues as well as language problems.

XSS still for some developers seems to be the redheaded step child of security hacks.  I’ve talked with several plugin developers and theme developers and they all seem not to care.  While in this article I’m not going to show you why it’s so dangerous I will just show you how to prevent XSS on server side with PHP and real-life examples.

Let’s take the Connections Wordpress Theme and show you the vulnerability.

Open the theme directory

Open search.php in the connections folder and search for the following,

1

<?php echo $s; ?>

(it appears twice on search.php)

The above is particularly a problem because it’s taking the “raw” input of s which in Wordpress is the search variable almost everyone uses.  Then it puts it directly into the execution space for Javascript which can cause multitude of other problems.  Here is just an example that is the tip of iceberg.

XSS demo on connections theme original site

You can only imagine what can be done from here.  Something like window.location=’nastypornsite.com’ then sent to Google for mega-indexing can really ruin a webmasters day.  How to prevent the nastiness, is actually rather simple.  Here are the same lines fixed for XSS prevention, using strip_tags()

1

<?php echo strip_tags($s); ?>

I have of course informed the developer but I also hope that this helps people better understand the issues concerned with XSS.   I will admit it wasn’t until today I saw a lame attempt at XSS in my logs that I realized this blog was vulnerable.  Of course every connections theme out there on the internet is vulnerable as well, and perhaps a crafty person might be able to chase down every owner of a connection theme and …  inform them of the problem.  But maybe that is asking too much.

Relative Links

• SEO Redirects and XSS

We must not forget that the wheel is reinvented so often because it is a very good idea; I’ve learned to worry more about the soundness of ideas that were invented only once.
–David L. Parnas

In my coding on several projects I have found that I sometimes need to know what the latest version of wordpress that is available.  Surprisingly I couldn’t find any documented rpc service or api call from wordpress.org.    I saw alot of people writing there own version checkers including this fellow at “Follow The White Rabbit”. Although incredibly old, Peter is using his own server to check against and of course you see a bunch of comments with people having problems.  We also know that every version of a Wordpress install is unsecure an allows access to wp-includes/version.php.  However for this project we don’t need or want the individual install version.  What we want is the “latest” release from wordpress.

I made my own version and in a way it is using wordpress.org.  Basically it uses there /latest redirect that serves up the latest wordpress compressed file. The filename always has the same format and you can grab just the filename using header(’content-disposition’); that way eliminating the call for the entire file.  In the filename exists the version and thus you have the version number.  For variety I used fsockopen instead of curl, either would work.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

<?php
$domain = "www.wordpress.org";
$portno = 80;
$method = "HEAD";
$url    = "/latest";
 
$http_response = "";
$http_request .= $method." ".$url ." HTTP/1.0\r\n";
$http_request .= "\r\n";
 
$fp = fsockopen($domain, $portno, $errno, $errstr);
if($fp){
    fputs($fp, $http_request);
    while (!feof($fp)) $http_response .= fgets($fp, 128);
    fclose($fp);
}
 
 
$arr = explode("\r\n",$http_response);
 foreach($arr as $k=>$v){
 	if(strstr($v,':')){
		$arr2 = explode(':',$v);
		$headers[$arr2[0]] = $arr2[1];
	}
 }
 
 $datarep = $headers['Content-Disposition'];
 if(isset($datarep)){
 	$wordpress_filename = substr($datarep,strpos($datarep,'=')+1);
	echo str_replace('.tar.gz','',$wordpress_filename);
 }
 
?>

Completely unrelated, I also found this quote

Destructors for virtual base classes are executed in the reverse order of their appearance in a depth-first left-to-right traversal of the directed acyclic graph of base classes….
– B. Stroustrup, The C++ Programming Language, p. 575

Which I would just like to point out was one of the worse books I’ve ever read.  I wouldn’t of read it if it wasn’t mandatory computer science material.