WordPress hardened with XSS, DoS and SSRF fixes

WordPressWith the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks.

Security fixes in this release include measures to prevent server-side request forgery (SSRF) attacks. The TinyMCE editor, the external SWFUpload library and other components have been updated to fix cross-site scripting (XSS) holes; WordPress’s own SWFUpload fork is used by the blogging platform to transfer files to the server, while TinyMCE is used as the software’s content editor. A problem that could be exploited by attackers to perform denial-of-service (DoS) attacks on sites that use WordPress’s password protection for posts has also been fixed.

WordPress 3.5.2 is available for download from the project’s web site. Alternatively, existing users can update automatically via DashboardUpdates in the WordPress admin interface. The source code for WordPress is licensed under the GPLv2 or later.

Cross-posted from Heise-Security.

WordPress 3.4 update closes important security hole

WordPressThe WordPress developers have released version 3.4.1 of their popular open source publishing platform, fixing a number of bugs and closing security holes, one of which is rated as important. WordPress 3.4, which has already been downloaded 3 million times since being released two weeks ago, contains a important privilege escalation flaw that accidentally allowed all administrators and editors on multi-site installations to use unfiltered_html. This could have been exploited by users for cross-site scripting (XSS) attacks by, for example, publishing posts containing malicious code.

The update also fixes an information disclosure vulnerability which could have allowed some users to bypass certain security restrictions in order to view the contents of posts that they should not be able to see, such as draft and private posts. WordPress 3.4.1 further improves security by adding additional protections against cross-site request forgery (CSRF) attacks in the customizer, and deprecating the wp_explain_nonce() function as it could reveal unnecessary information. Additionally, a child theme can now only be activated along with its intended parent theme.

Changes unrelated to security include fixes for problems with category permalink structures and an issue that resulted in a theme’s page template not being detected. WordPress now better handles plugins and themes that load JavaScript incorrectly, and improves compatibility with servers running certain versions of PHP. Early support for uploading images on iOS 6 devices has also been added.

A full list of fixes can be found in the WordPress Trac and on the Version 3.4.1 Codex page. WordPress 3.4.1 is available to download from the project’s site; existing users can upgrade using the built-in update functionality. Binaries and source code are licensed under the GPLv2 or later.

http://h-online.com/-1628769

WordPress fixes file upload security problems

WordPress_200The H-Security: The developers of the popular open source blog engine WordPress have released a security update for the software. WordPress 3.3.2 fixes unspecified bugs in three external file upload libraries used in the software and other security problems with the application.

The bugs affect both WordPress’s current file uploading library Plupload as well as the SWFUpload and SWFObject libraries; these were bundled with older versions of the application and might still be in use by certain plugins on the current versions of WordPress. The developers did not go into detail about the specifics of the security holes but thanked three people from the WordPress community for responsibly disclosing them. Three more fixes address a privilege escalation in the blog engine’s multi-site system and two cross-site scripting vulnerabilities in the core components of WordPress. More details on all of these patches and also some additional smaller fixes can be found in the change log.

WordPress 3.3.2 can be downloaded from the project’s web site and users can also update their installations of the software automatically from the Update menu in their site’s Dashboard.

WordPress.com suffers hacker attack – how to change your password

Sophos Labs: Millions of blog owners around the world are being advised to consider their password security, after WordPress.com was hacked.

To its credit, Automattic – the company behind the WordPress.com blogging platform – didn’t mince its words or try to apply any spin to the incident, explaining it had suffered a “low-level (root) break-in to several of [its] servers, and potentially anything on those servers could have been revealed.”

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

WordPress’s gurus continue to investigate the security breach, and says it has taken steps to prevent it happening again.

It’s worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org.

So, until we know more, I think it would be sensible for all WordPress.com users to follow the advice – and consider if they are using a secure password. Better safe than sorry, after all.

Here’s how you change your WordPress.com password, if you think it might not be secure.

1. Go to Users / Personal settings

2. Choose a strong, unique password. (How to choose a good password and take care of it?)

We don’t know that the WordPress.com security breach gave the hackers access to bloggers’ passwords, but we do know that many internet users have chosen to use the same password on multiple websites. So if your password was stolen from one website, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So always use unique passwords.

Furthermore, computer users should ensure they don’t use dictionary words as passwords as it is relatively easy for hackers to figure these out using electronic dictionaries that simply try out every word until they get the right one.

Even though your WordPress password may not have been compromised, it still makes sense and is good practice to make sure that you have a chosen a good, strong password now.

Follow up: Hacker Gains Access To WordPress.com Servers, Site Source Code Exposed

Follow up from: Hacker Gains Access To WordPress.com Servers

Tech Crunch: WordPress.com has revealed that someone has gained root-access (“low-level,” as in deep) to several of its servers this morning and that VIP customers’ source code was accessible. WordPress.com VIP customers are all on “code red” and in the process of changing all the passwords/API keys they’ve left in the source code.

“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

While Automattic is downplaying the leak, sites’ source code could include API keys and Twitter and Facebook passwords which can let interested parties gain access to sensitive information as well as shut people out of their Twitter and other vulnerable accounts.

Automattic says that the investigation “is ongoing.” I’ve contacted founder Matt Mullenweg for more information and will update this post when I hear back.

WordPress.com currently serves 18 million publishers, including VIPs like TED, CBS and is responsible for 10% of all websites in the world. WordPress.com itself sees about 300 million unique visits monthly.

Hacker Gains Access To WordPress.com Servers

Tech Crunch: WordPress.com has revealed that someone has gained access to several of the their servers this morning and that VIP customers’ source code was accessible. WordPress.com customers are all on ‘code red’ and in the process of changing all the passwords/api keys they’ve left in the source code.

“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.


We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

While Automattic is down playing the leak, site source code includes API keys like Twitter and cookie log-ins which can let interested parties gain access to sensitive information like Twitter accounts.

Automattic says that the investigation “is ongoing.” I’ve contacted Automattic for more information and will update this post when I hear back.

Updated: Follow up: Hacker Gains Access To WordPress.com Servers, Site Source Code Exposed

WordPress hit with second big attack in two days

WordPressStats_610x431

CNET wrote: The popular blogging-site hoster WordPress was hit with another distributed denial-of-service attack this morning, the second in two days.

“Unfortunately, the DDoS attack from yesterday returned in a different form this morning and affected sitewide performance,” the company said in a notice on its Automattic site, which serves as a dashboard for the service. “The good news is that we were able to mitigate it quickly and performance returned to normal around 11:15 UTC. We are continuing to monitor the situation closely.”

Stats on Automattic.com show that the site was affected for about an hour or so starting around 3:15 a.m. PST.One day earlier, WordPress was hit with an attack that reached “multiple Gigabits per second and tens of millions of packets per second,” hampering the company’s three data centers and disrupting nearly 18 million hosted blogs and members of its VIP service, including the Financial Post and TechCrunch.

Typically, DDoS attacks are accomplished using botnets of thousands of compromised computers that are directed to a target Web site with the motivation of overwhelming the site and taking it offline.

WordPress did not provide many details about either attack, but founder Matt Mullenweg told CNET on Thursday that the first attack may have been politically motivated against one of the site’s non-English blogs. He did not immediately respond to an e-mail seeking comment today.

WordPress Adds Feature for Embedding Tweets

twitter_logo_headerMashable: Months ago, Twitter released a clunky tool called Blackbird Pie for embedding tweets in blog posts. Today WordPress has radically simplified and improved tweet embedding with a new feature, also named Twitter Blackbird Pie.

icon_bigBeginning today, WordPress.com users simply need to copy a tweet’s URL and paste it on a line by itself to embed it in a blog post.

Pasted URLs are converted into full tweets, which means these embedded tweets look as good as screenshots, but include the link back to the tweet, a link to the source and a retweet option. The new feature will also save users time — letting them avoid the much more manual process of snapping screenshots of tweets.

Twitter’s own Blackbird Pie feature is nice in theory, but not exactly convenient to use; tweets embedded this way also lack the style of the original tweet. In reworking the feature, WordPress keeps the style and rich content of the tweet intact, but eliminates the friction from the process.

WordPress modeled the new feature after a plugin for self-hosted blogs by the same name.

Microsoft Kills Live Space blogs

Microsoft announced that it has collaborated with WordPress and now onwards it will be the default blogging platform for Windows Live users. This means Microsoft is killing it’s own blogging platform and suggesting users to go for better platform called ‘WordPress’.

8321.ConnectWordPress.comtoMessenger_thumb_5A730F1A

In TechCrunch Disrupt conference, Windows Live Director ‘Dharmesh Mehta’ announced that all existing Windows Live Spaces users will be migrated over to an account at WordPress.com.

So now onwards users who sign up for a Windows Live account get free Hotmail , the Xbox Live site , a free blog from WordPress.com and other services.

For me this move shows that Microsoft admitting they cannot compete in the blogesphere and giving up their own blog network and started shifting its Live Spaces users over to WordPress.

I think it’s a good decision, because killing a uncompetitive product is better instead of dragging it. Just imagine Windows Live Spaces running on Linux Powered WordPress!

Microsoft currently has 30 million people using its Windows Live Spaces blogging platform. Those users can port their blog posts, comments, and photos to WordPress, and redirect their old Spaces URLs to the new blog. Microsoft said Live Space users will have 6 months to migrate to WordPress.com.

If you’re not ready to migrate today, you can also choose to download your blog content, migrate later, or delete your Space.

Read more: Windowsteam

WordPress and PHP-based management systems under attack?

A variety of sources are reporting that blog hosting sites with WordPress-created sites and php-based management systems such as Zen Care eCommerce are being infected with malicious scripts.

Websites hosted by ISP DreamHost, GoDaddy, Bluehost and Media Temple have been found with the malcode, according to H-Online.com.

The malicious scripts download malcode and block Google’s Safe Browsing API from alerting users.
Story here: “Large-scale attack on WordPress”

The Sucuri Security blog has offered clean-up instructions for those with infected pages here.