Time for some Q&A here…
Below are a few of the most oft-heard questions/statements about my previous panic-level-3 announcement regarding a serious security issue in WP and how to easily fix it temporarily (one checkbox to untick)… Along with answers:
“Is this a joke/hoax?”
Is the date the 1st of April?
“How critical is it?”
Critical enough.
Not all Wordpress users are at risk, but I don’t suppose that would be of much comfort to you if you belonged to the 30% hackable installs.
“Will you tell me more about this exploit? I swear I won’t tell anybody else! This will stay between you, me and the World Wide Web…”
Frankly, if you do not understand why I won’t even be giving the slightest hint of what the exact problem is before enough people have applied the temporary fix (disabling ‘user can register’, under Options >> General) and an upgrade has been released, you are the last person I should be telling to about this.
“Are you a Wordpress official? a Wordpress developer? Anybody with a title I can trust?”
Absolutely not. In fact, less than ever.
“Why don’t you leave that up to the Big Guys Who Know What’s Best For You®™ and go back to getting smashed on gin somewhere under a Parisian bridge then?”
Take your pick:
Because over the past year of distant involvement in the WP community, I have come to question and, well, often outright disagree with the way the Big Guys Who Know What’s Best For You®™ handled similar problems in the past.
Because, all modesty set aside, I am not sure how their strategy for handling such problems (which I have seen in action in the past) has proven better at containing disaster than the one I adopted here.
Or perhaps simply because, as some Big Guys Who Know What’s Best For You®™ have implied in one helpful bit of Shoot-the-messenger communication, I am an attention-craving moron with nothing better to do with his time than scare his fellow Wordpress users into <gasp> unchecking one single option in their admin screen.
“Why do you relish so much in fear-mongering, FUD and…
OMFG…
What is this?
Snakes!!!! There are motherfuckin’ SNAKES on Wordpress!!!
Ahhhh! do something!!!”
Right.
Why in the world would anyone want to make their security announcements sound too important?
All apologies for that bit of hysteria. Let me go back and add a few soothing pastel tones and some muzak to the original post.
Let’s rephrase too:
Hello, there’s a teeny itty bitty problem with your Wordpress install, feel free to do something about it, but don’t worry too much otherwise, it’s all good man.
There. Better?
Now, seriously, to those who have been equating my behaviour with shouting “bomb” in a crowded airport: get. a. fucking. grip.
This is the internet, not an airport. Computer mice stampede rarely kill anybody. And I’m sure even the most cheetos-infused computer nerd’s heart muscle can take the news without prematurely collapsing.
Making it sound serious is a) the only way to spread the news b) perfectly justified given the fact that, you know, this is pretty serious.
Truthfully, I don’t think there is much harm done in upping the amount of caution people display when using server software. Such exploits are common, and not solely a WP problem (all server applications have had similar issues at one point or another). Lack of awareness in the general public, if anything, is the danger. Sorry if that doesn’t really bode well with some people’s marketing pink-cloud vision of the world.
Just consider yourself lucky I didn’t use:
(directorial credit: Leftjustified)
“You mean you didn’t just write that thing in a fit of aimless panic to scare other people out?”
There again, despite what some well-meaning people seem to have charitably been hanging on my head, I have given a bit of thought to the problem before deciding the best course of action was to invite people to disable an option in their admin tools. And for those who really care, here is how I see things:
- An exploit in WP was brought to my attention. It was neither the first one, nor probably the last one. Exploits are an unavoidable byproduct of major projects, they are not a fatality: you fix them and move on.
- My very first reaction with this, was telling Geoff Eby, who discovered it, to contact WP devs and take it to them in private.
- As would sometimes happen, it seems, the answer wasn’t really overwhelming, and it appeared some devs (suspicion confirmed ever since) even considered this to be of the “Not Wordpress’, Somebody Else’s Problem” category. A position I reckon everybody has recanted ever since, but that threatened to be the official position then.
- Now, I am sure a fix will eventually be released. It will be the fourth upgrade this year. And I bet you the whole “major security issue” thing would not exactly be put in large blinking letters on top of the official download site. Ya know, you don’t want people to panic and start thinking there may be a problem or anything.
- I have absolutely no stats to confirm that, but I can also bet you there are still thousands of installs of Wordpress that haven’t even installed the previous security upgrades. “Too bad for them”, I hear you say? Well, sure, it’s not very smart but you can’t blame them for eventually tiring of following announcements and refusing to sort out themselves between minor bug-fixing releases and major security-plugging ones (a difference that’s pretty much inexistent in all WP official channels).
- As a result, I get word every day of one WP install or another that’s been hacked, usually using an exploit supposedly fixed months ago (just have a look at some of the comments in the previous post).
- I would be amazed, alarmist tone notwithstanding, if more than 50% of WP installs throughout the world were upgraded to a safe version by the end of the Summer.
- On the other hand, the second the patch is released, every malicious coder with two bits of brain will know exactly how to exploit older versions and will go to work.
- The fix I invited everybody to apply (namely: uncheck the ‘allow user registration’ option in WP’s General Options panel) is both simple and does not reveal the exact nature of the exploit. Not only do I trust it to be more widely applied than a full-on upgrade by the less computer-proficient users, but it will ensure, by the time the upgrade is there and the exploit publicized, that much fewer vulnerable installs remain.
- So, think of it as a two-step process where we can afford to raise awareness and offer a simple temporary fix without risking to help script kiddies too much, then release the usual half-ignored patch and not have to watch the entire WP world crumble as dozens of unprotected blogs get defaced by 12-year old pimply teenagers.
Or, you could just follow “protocol”, discuss the exploit at length in private developer mailing lists, safely out of sight from the general public (but well read by possibly every last malicious coder in the world) and release yet another semi-silent security upgrade while hoping good people hear about the news before the bad ones do…
But feel free to ignore this ranting of a madman: after all, perhaps I was just bored and figured this would be the best way to have some fun, without incurring serious cavity damage in an airport security room for mentioning snakes while boarding.
For anything else, feel free to contact your nearest Wordpress Official for further word on what to do. I’ve done my bit.
Update: Wordpress upgrade 2.0.4 should now patch this bug. If your version of Wordpress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).
2006-07-27 at 3.21 pm
[...] Mittlerweile gibt es ein bisschen Trubel in den Kommentaren und einen Follow-Up Beitrag von Dr. Dave zum Thema. Kein schlechter Linkbait das Ganze [...]
2006-07-27 at 3.28 pm
[...] Mittlerweile gibt es ein bisschen Trubel in den Kommentaren und einen Follow-Up Beitrag von Dr. Dave zum Thema. Kein schlechter Linkbait das Ganze [...]
2006-07-27 at 3.32 pm
DrD - I’m shocked so many people have tried to fault you for what you did. I for one appreciate it. If other people want to play possum and roll up in a ball that’s their problem. Running server software is serious business and can cause serious problems. While we will always have script kiddies looking for version ‘X’ that they can exploit, I’m still amazed at the ones who poke at custom written code looking for exploits and find them (frined of mine got nailed recently by this - bad code architecture and poof - they’re a UDP flooder in a DDoS.)
I think WordPress is an excellent system - but developers have to take security seriously. If they don’t then no matter HOW great their product is, its dangerous to use. WordPress in open comment mode was unusable until SK2 came along. It was the only solution that worked. Akismet is great, but combine it with SK2 and it’s that much better. Keep up the great work and I can only speak for myself, but if any other security alert hits my SK2 news window, no matter how shirll, I take it seriously.
2006-07-27 at 4.49 pm
[...] halten, was die Kommentare angeht. Man kann aber auch selbst einen Kommentar verfassen, oder ein Trackback von der eigenen Seite ausmachen. [...]
2006-07-27 at 5.00 pm
Thanks for alerting people here, and with a visiblie red banner announcement in my spamkarma control panel. (Which seems to have disappeared? I’m glad I clicked it and read.)
I relayed the alert on my knitting blog. There are *tons* of knitters who have not installed the most recent upgrade (Heck, some are still using WP 1.2!!!)
For the record, I got hacked long ago. It wasn’t due to this particular issue. ( I did stuff to tighten up my own security.)
Getting hacked is inconvenient. Very inconvenient. Suggesting this simple step to prevent the possibility, was very wise. If another one arises, please do mention it!
2006-07-27 at 5.30 pm
It’s not for the first time that Matt has proven himself of being unable to handle security issues regarding WP seriously and with the appropriate sensibility, and it won’t be the last time as well.
So I wouldn’t bother at all about his manner deficits as long as there are still others that know how to handle these topics right.
I am, for myself, not a great friend of full nondisclosure policy, but security alerts like the one you’ve proven, which include both a small hint for the knowing ones and a quick solution for the usual users are totally okay for me.
2006-07-27 at 8.30 pm
Thx bud, I would’ve caught this last night if I didn’t go out on a rare occasion. The scary thing is, why isn’t it on the Dashboard yet?! Maybe it has something to do with the fact that my inquiries never get answered on the support forum lol.
Thx again.
2006-07-27 at 10.48 pm
Seems like other people are already on top of this, with a much better explanation….
2006-07-27 at 11.56 pm
[...] Vse kar vam je storiti je to, da odklikate v admin sekcijo Options > General > Membership, odznačite opcijo “Anyone can register” in tako bo bojda vse v najlepšem redu do popravka. Bom pa zadevo spremljal in vas obvestil kako in kaj… Drugače si pa preberite tole in tole. [...]
2006-07-28 at 12.55 am
Lucia: re. sk2’s announcement: yes, as of now, they will only appear once and not bother you again (they are meant to be really lightweight upgrade announcement, not a permanent nag each time you log in).
Elliot: Please, call me a doofus, but at least give me enough credit that I wouldn’t suddenly post a panicky announcement regarding an exploit fixed two months and one version of Wordpress ago.
So, just in case the post above somewhat didn’t sound clear enough: no, these people aren’t “on top” of anything, except last month’s exploit du jour and no, they aren’t “explaining it better” (what exactly do you expect me to do? post a detailed how to on this exploit?).
[sigh]
Everybody else: thanks for the support…
And as for anything else regarding further handling of this problem (and, err, why it’s still not appearing on WP’s dashboard feed instead of, say, Matt’s blog report about the latest cool web2.0 conference he attended somewhere)… Please contact WP oils directly and take it to them. I really am in no position to answer such [legitimate] interrogations.
2006-07-28 at 1.25 am
@Elliot: This is not the same thing.
I’d like to put out more advice, or a warning, but I am not qualified to decide how to direct this situation, or solve it, no matter how useful I think my ideas are. I passed on knowledge of it to WordPress devs last Sunday morning. By Tuesday I wondered why I couldn’t get a response.
There’s a small handful of people I identified as knowledgeable about how to proceed, and on Wednesday I informed one, Dr Dave, simply because he was available.
His idea was that a warning should be sent out immediately to prepare people for an upcoming patch, and that waiting for Matt or Ryan would take too long and they would avoid doing anything for too long when they were ready to acknowledge the problem. To Dr Dave’s credit, Ryan did initially respond to it as something that WordPress devs could ignore. And with help from Dr Dave, he’s since changed his position of this exploit as something that does require a patch.
So it’s taken until twelve hours ago for the problem to be acknowledged properly and many people have been notified. I’m not sure how long it will take for an official announcement, but the delay is confirming for me why Dr Dave chose the action he did.
2006-07-28 at 3.11 am
[...] According to Dr Dave, the celebrated creator of Spam Karma, there is a serious vulnerability in current versions of Wordpress. He says that to be safe, you should make sure that Options -> General -> Anyone can register is unchecked. My feeling is that this has something to do with the upcoming Wordpress 2.0.4 release, which was mentioned on June 29th but has not yet been finalized. [...]
2006-07-28 at 4.42 am
Thanks for this warning, Dr. Dave.
Ignore the critics. I believe you did the right thing.
2006-07-28 at 4.52 am
Dr. Dave.
Your red banner announcement is actually much more effective than the dashboard. I don’t know about other users, but I rarely check the dashboard. I check issues associated with spamkarma or Akismet every day. So, it worked very well. I was just wondering if I was hallucinating because I knew I’d seen the red banner and later it was gone!
I think it’s terrific you came up with the idea in the first place. So, thanks again.
2006-07-28 at 6.37 am
[...] Anyway, as you can guess he’s taken plenty of heat for this, because loads of people are now searching for the hole and trying to figure out how to exploit it. Most of these people just want to protect their own blogs. Others might be searching so that they can use this exploit against others. There are certain people I would not like to be right now… [...]
2006-07-28 at 6.45 am
[...] Update 28.07.06, 06:43 Uhr: Dr. Dave hat mittlerweile in einem neuen Artikel auf die diversen Nachfragen reagiert - und stellt nebenbei (in Kommentar Nr. 10) richtig, dass sich die gemeldete Sicherheitslücke nicht auf Wordpress-Versionen vor der aktuellen Version 2.0.3 bezieht (siehe auch unknowngenius.com/blog[2]: Elliot: Please, call me a doofus, but at least give me enough credit that I wouldn’t suddenly post a panicky announcement regarding an exploit fixed two months and one version of Wordpress ago. [...]
2006-07-28 at 7.28 am
[...] [cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention] Източник Малко повече информация по въпроса [...]
2006-07-28 at 9.46 am
Lucia
Well, I’m very glad to hear it. Regarding Dashboard announcements usefulness, well, I’m trying as much as possible to stay out of this debate, because sincerely, I’ve really had my share, but: at the time, many people (yours truly included) pointed out that it was absolutely pointless to have such a way of communicating news, if it was abused for ego gratification the way it was. It should be bleeding obvious that broadcasting 20 loosely related “Wordpress News” a week (that is, posts talking about Wordpress on either of the main developers’ blog) would make this channel all the less suited for real upgrade and security broadcast.
As I said, the debate happened, and as was usually the case, didn’t really lead anywhere (at least not where the majority of sensible people were taking it).
Now you have a better idea why I picked the road I did.
2006-07-28 at 11.37 am
[...] Laut Software Guide ist die Sicherheitslücke in der Wordpress 2.0.4 beta Version bereits behoben. Diese ist zwar noch nicht offiziell herausgegeben, aber laut Software Guide stabil. Weitere Informationen zum Thema gibt es im Wordpress.de-Forum, beim S-O-S SEO Blog und in diesem Beitrag von Dr. Dave. [...]
2006-07-28 at 1.42 pm
Ok.. I looked at the dashboard. I have a question:
1) When the WP guys announced the upgrade to 2.03, they refer to a bug reported at bugtrack. Is bugtrack a blog? A spot on the WP site? Why didn’t they link to it so we could read about it. (I googled on bugtrack. It’s listed on many of the blog announcing the upgrad– but not linked. )
2) What the heck was the security bug? Presumably it’s already discussed at bugtrack, so dedicated hackers can find it out, but people who spend their time doing other things aren’t going to be spending their days searching.
2006-07-28 at 2.50 pm
Wordpress Sicherheit - User Registrieren dringend abschalten
Laut Dr. Dave und anderen kann es in allen WordPress Versionen ein Sicherheitsproblem geben, wenn Benutzern das Registrieren erlaubt ist.
Es wird dringend empfohlen das Registrieren für Gäste abzuschalten und sämtliche unbekannte Gast-…
2006-07-28 at 3.50 pm
WordPress Security Issue
Dr. Dave, the dude behind Spam Karma, has issued a warning to all WordPress users. A message popped up on my Spam Karma 2 dashboard warning of a potential security vulnerability in WordPress. Here’s part of the warning:
If you are running Wordp…
2006-07-28 at 3.51 pm
Dave,
thanks for the advise!
Have you tried to submit this issue to SECURITYFOCUS or any other CERT? Probably that will propagate it much faster and better.
Ignacio.
2006-07-28 at 6.36 pm
[...] siehe Dr. Dave (Teil 2). [...]
2006-07-29 at 10.45 am
Dear Dr. Dave, thanks for the announcement - but please, can you clarify if the issue has been fixed in 2.0.4?
2006-07-29 at 10.54 am
[...] Mehr Infos gibt es im Wordpress.de-Forum, beim S-O-S SEO Blog und im Folgebeitrag von Dr. Dave. [...]
2006-07-29 at 2.50 pm
If it was, I don’t see it: http://trac.wordpress.org/query?status=closed&milestone=2.0.4
But obviously only Dr D can say for sure. None of those security fixes seemed like a non priv user exploit. My guess is it was not since 2.0.4 was hitting beta just as Dr D sent his announcement. Just a guess.
2006-07-29 at 3.26 pm
Yeah, inquiring minds want to know, does 2.0.4 fix the issue? I had several of my older sites still on 2.0.1 and 2.0.2 so I took the initiative today to upgrade every one of my sites to 2.0.4.
2006-07-29 at 3.36 pm
Update on the security flaw
The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.
As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).
(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want
investorsusers to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.
2006-07-29 at 3.41 pm
[...] I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week. [...]
2006-07-29 at 3.47 pm
Regarding people still running 1.5:
Trust me, I am the first one annoyed by this (considering how some of my blogs still happily run 1.5 with little will to upgrade), but it is now time to seriously consider upgrading.
I wished there was a better way, especially considering WP 2.0 comes with its own bunch of issues, bugs and security issues, but it will become increasingly tedious to keep up with all the security fixes and provides 1.5-compatible patches for them. Chiefly thanks to the aforementioned level of transparency and communication around these flaws: it takes skills worthy of a 70’s Eastern European spy to manage and extort clear information from the Powers That Be on every single security flaw that may affect each version of Wordpress.
I for one, will keep user reg disabled on my 1.5 blogs, quickly tweak the most critical bits and look into upgrading to an easier-to-maintain platform (be it WP or other) soon enough. I advise you do the same or your life will be a kafkaesque hell of muddy bug report decrypting and patch maintenance.
2006-07-29 at 9.02 pm
[...] This advice comes courtesy of Dr. Dave. He has posted a detailed follow-up to his initial warning which may also be of interest. [...]
2006-07-30 at 10.37 am
[...] halten, was die Kommentare angeht. Man kann aber auch selbst einen Kommentar verfassen, oder ein Trackback von der eigenen Seite ausmachen. [...]
2006-07-30 at 3.30 pm
thanks Dave!
2006-07-30 at 9.52 pm
[...] This might be a slight follow up to Dr. Dave’s Followup on Wordpress Security Issue. I just woke up after a long flight from Virginia to Tokyo and got to this link via Jem’s site. Details on the vulnerability are sketchy so I thought I’d take a look for myself. The followup post said that the issue is corrected with the Wordpress 2.0.4 upgrade. So I downloaded the newest version and compared it to my current install. I haven’t been looking long, but here’s what I found so far. [...]
2006-07-31 at 11.28 am
Well, here are all the changes between WP 2.0.3 and WP 2.0.4:
http://trac.wordpress.org/log/branches/2.0?action=stop_on_copy&rev=4066&stop_rev=3826&mode=stop_on_copy
Does NOT include the security fix though does it? I would guess no way!! ???
2006-07-31 at 1.21 pm
[...] Wordpress schliesst mit dem Update auf 2.0.4 diverse Sicherheitslücken. Dr Dave hat in seinem Blog auf die Sicherheitslücken aufmerksam gemacht, als workaround sollte man Gästen das registrieren verbieten, besser aber 2.0.4 installieren: runterladen, drüberkopieren - fertig! [...]
2006-07-31 at 1.21 pm
Wordpress Update auf 2.0.4 Sicherheitsfix
Bei der beliebten Blogsoftware Wordpress gibt es mit der Version 2.0.4 diverse kritische Lücken gestopft und insgesamt 50 Bugs behoben. Das Update sollte so schnell wie möglich eingespielt werden.
…
2006-07-31 at 1.53 pm
[...] Followup on Wordpress Security Issue [...]
2006-07-31 at 1.57 pm
[...] For WP users who don’t read the WP announcements on their Dashboards (or have customized their admin home page entirely like I did for SheeroMedia), you might want to head over the WordPress download section for an update. I don’t normally blog about things like this, but Dr. Dave’s blog post about it made me a bit concerned. Kutitots, Kutitots.Com © 2004-2006 by Gail Dela Cruz. All rights reserved. HAVE SOME SHAME.Don’t copy my flea and layout. Looking for something in particular? [...]
2006-07-31 at 4.25 pm
[...] Speaking of which, the discussion around security issues always seems to trigger some hefty debates. Whether to reveal every problem immediately, or to keep it under the hood until a solution exists, or even don’t mention security at all, just make the fixed version available with some vague improvement promises. Well, read this one for yourself here: Dr Dave » Followup on Wordpress Security Issue. [...]
2006-08-01 at 12.12 am
[...] Su utilizas WordPress, te vendrÃa bien saber que ya está disponible la WordPress 2.0.4 y es que se han encontrado más de 50 bugs, pero sobre todo uno de ellos parece ser terriblemente crÃtico. Tanto que sus autores no han querido desvelar exactamente de que se trata, pero instan a correr la voz y a que actualices de forma urgente tu Blog. [...]
2006-08-01 at 9.48 am
[...] Dr Dave Foolowup on WordPress Security Issue [...]
2006-08-09 at 2.31 pm
[...] Technikecke, Wordpress Tags: Blog, WordpressSchon am 29. Juli veröffentlichte das Wordpress-Team eine neue Version der Blog-Software. Heute findet sich dies auch auf Heise als Newsmeldung wieder. Grund dafür ist, daß mit der aktuellen Version auch ein kritisches Sicherheitsloch behoben worden sein soll: Angreifer könnten sich durch die Lücke in verwundbare Systeme hacken, weitere Details sind bislang jedoch nicht bekannt. Vergangene Woche warnte der ehemalige WordPress-Entwickler mit dem Pseudonym “Dr Dave” in seinem Blog vor der Schwachstelle und riet WordPress-Nutzern, die Benutzerregistrierung für Gäste zu deaktivieren. Allerdings gibt auch er keine Details zu dem Fehler bekannt, nicht einmal in einem F.A.Q. zu seiner Warnung. Auf eine Anfrage von heise Security bezüglich des Fehlers antwortete der Hauptentwickler Matt Mullenweg bislang nicht. Quelle: Heise Online [...]
2006-08-18 at 10.56 pm
facilitating hack a vulnerability ?
Ok.. So finally Kim did post about my exploit…. (our communication on the subject has been via email so far). I’m not too sure if it should be termed a “hack” though, just because if the intention was to hack, I could have very …