Thu 23 Oct 2008
Wordpress 2.6.3 Security Information
Posted by hawk under Security , Site NewsLet Me Hear Your Thoughts >>
Some of the intelligent few have noticed that this is indeed a Wordpress blog. Some of you even try and login which is funny to see the wp-login.php in my 404s. Regardless I like to make sure I keep everything up-to-date. I don’t keep a wordpress version like 2.6.3 per say but I do my own custom changesets.
Sometimes I wonder whether the world is being run by smart people who are putting us on or by imbeciles who really mean it.
-Mark Twain
Today we examine the changes from Wordpress 2.6.2 to version Wordpress 2.6.3 and will point out the obvious issues with the previous version.
First I like to point you to the ChangeLog 2.6.3 for wordpress but more importantly the diff changset
On the wp-trac mailing there is always banter about the beloved snoopy class, but this one I must admit takes the cake. I haven’t gone back to see the entire threat but I will expose the idea as follows.
wp-includes/class-snoopy
1 2 | var $maxlength = 8192; // old size var $maxlength = 50000; // max return data length (body) |
After seeing this any old school programmer would know exactly what the exploit was. For those still needing a clue however, it would be a buffer overflow. The maxlength variable obviously controls some type of stream length, otherwise we wouldn’t be seeing a change to a much large number. Is this move alot safer? Well I’m guessing they feel most apache servers limits are set around 51,089k file upload size on shared servers so this should be safe. We know better of course.
So lets take a detour aware the buffer overflow for a moment for one of my favorite security holes. The remote shell execution, or parameter injection.
1 2 3 4 | $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access exec(escapeshellcmd($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\""),$results,$return); //----------------------The new and improved---------------------------- exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return); |
As you can see safer_URI is being protected by a strtr of double-quotes before placing it into an execution on the sell level. Not only that it’s concatenated into a larger argument string for easy replacement and back-tick manoeuvrings. The new version looks much safer, however $headerfile, $cmdline_params are both un-secured and possibly over-rideable somewhere else in execution.
Back from execution, I mean programming execution…
Buffer overflow finally
1 2 3 4 | /*while (!feof($fp)) { $file_content .= fread($fp, filesize($file_name)); }*/ $file_content = fread($fp, filesize($file_name)); |
There you have it, they went from a string concatenation to a straight assignment. Reason being once again the concate can be broken out of if the buffer gets overflowed and now you have access to execution of $file_content. Is this new fix safer, yes as far as we know assignment operations are considering non-threat. However I have a feeling I could write a 51 meg file to get around this issue, but then again who knows.
So there is a major problem with any wordpress version that runs a snoopy class of 1.2.3 or has these remote execution problems along with overflow issues. 2.6.3 solves this but I’m sure that this has been in wordpress for a while, I wouldn’t be surprised if press 2.0.
The rest of the diffs in the branch are just mistakes made by previous programmers, nothing a security threat just compatibility issues as well as language problems.
