Remember meForgot password?
    Log in with Twitter

article imageNew WordPress 3.5.1 vulnerability affects protected pages Special

By Jessica Zuzierla     Jun 12, 2013 in Internet
A zero-day vulnerability found in WordPress may have been released to the public prematurely. The following includes vulnerability details, plus the researcher's response to questions about the public release.
Independent researcher Krzysztof Katowicz-Kowalewski found and released a WordPress 3.5.1 zero-day vulnerability proof of concept (PoC) and a patch to the WordPress Security team on May 31. Hearing nothing from the team by June 7, he released the information to the public Security Focus BugTraq mailing list, and in a blog post on his website.
A user promptly identified a problem with the information Kowalewski released, saying that the vulnerability is with the external library known as PHPass, a password-hashing framework developed by Solar Designer/OpenWall, and not WordPress. Kowalewski later updated his post confirming the PHPass information, and adding to it.
Was the Public Release Premature?
The confusion sparked some controversy on the blog, as to whether the public vulnerability release was correct, or not, and whether it was warranted or not. A second researcher, Peter Bez, responded to the BugTraq report, noting that he wasn't sure if the problem is a PHPass bug or a WordPress mistake.
When asked via email about whether he thought the public release would hurt, rather than help, especially in light of having potentially notified the wrong people, Kowalewski responded that, “Security by obscurity is not recommended practice. I might guess I'm not the first security researcher who found this issue …I believe it is still WordPress issue, and that it has no influence on PHPass library security."
Kowalewski added that, "Using this [PHPass] library, WordPress developers missed the fact the user controlled data is passed to external module, which might cause unexpected behavior, Using an authorization system as it was implemented, they [the WordPress security team] should ensure that the data passed to the crypt_private function is properly validated. Code audit analysis should have also caught the problem as a potential vulnerability that might allow a denial of service attack.”
What is the Real Problem?
The real problem is with how WordPress handles the external library, because this handling can cause remote attackers to DoS or DDoS the affected website. In a nutshell, a denial of service attack (DoS), also known as a distributed denial of service attack (DDoS), happens when multiple users, or in many cases, a number of bots, repeatedly refresh or visit a website page or pages so much so that the site's server cannot handle the traffic. This creates a situation in which the website server cannot serve the page, forcing the server to deny legitimate visitors access to the site.
Who or What Websites are Affected?
According to the initial public disclosure and research, the vulnerability exists in no other platform using PHPass.php. In fact, only certain conditions allow the vulnerability to exist. First, a website must be using the self-hosted WordPress 3.5.1 platform and, second, the website must have published at least one password-protected page, something which is not common among WordPress users, Kowalewski said.
PHPass Developer Responds
PHPass developer Solar Designer responded to the BugTraq thread today, noting that, “Web apps (like WordPress) were indeed not supposed to expose the ability for untrusted users to specify arbitrary "setting" strings (which include the configurable cost).”
Solar Designer's response confirms that Kowalewski is not the first to stumble on the PHPass problem, but he is the first to find the WordPress specific instance of the issue, and that Apache is known for being DDoS attacked easily.
Fixing the Vulnerability
WordPress hacking is, and always has been, an extremely prolific problem, as noted by the recent brute force attacks that are still in progress to date. For the more than 6.3 million websites built on one WordPress platform or another, according to statistics website Built With, WordPress security, known as WordPress Hardening by industry experts, is a priority. This is especially true of website owners who run businesses on the WordPress platform.
As for fixing the vulnerability, Kowalewski developed and released a patch that he says would take no more than five minutes to apply. He also said that for those companies that cannot change hosted source code, creating and implementing a Network Intrusion Detection System (NIDS) rule will block a potential attack.
Those who do not know how to apply patches, or are uncomfortable doing so, should remove the password from protected pages, or unpublish any pages that are protected. Doing so could stop an attacker from exploiting the vulnerability, at least until a permanent fix is implemented.
More about Wordpress, wordpress security, phpass, Password protect, wordpress 351
Latest News
Top News