WordPress 2.8.4 security update

If you use WordPress blog software on your site, be sure to upgrade to WordPress 2.8.4 as soon as possible. The upgrade contains important security fixes.

Although all WordPress users should upgrade right away, we’ve added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

The first thing to be concerned about is the problem fixed in version 2.8.4. Earlier versions allowed strangers to repeatedly reset the administrator’s password to a random string of text. This doesn’t allow the stranger to gain access to your blog, but it sure is annoying.

The exploit works because PHP interprets HTTP parameters that end with two square brackets, like this:

key[]=

… as an array, and WordPress didn’t check for that possibility. These mod_security rules block any parameters to wp-login.php that contain square brackets:

SecRule REQUEST_FILENAME "/wp-login\.php$" "deny,status:412,auditlog,chain"
SecRule ARGS_NAMES "\["

So that will prevent strangers from resetting passwords.

In addition to that, we’ve discovered something else interesting. Earlier versions of WordPress (all versions before 2.8.3) seem to contain more of a security problem than previously thought.

The release announcements for versions 2.8.1 and 2.8.3 said “admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked”, then “I missed some places when fixing the privilege escalation issues for 2.8.1”.

Allowing unprivileged users to see information they shouldn’t see is undesirable, but again, it doesn’t seem to allow strangers to take over your blog.

Unfortunately, we’ve found that the bug does actually allow clever unprivileged attackers to change some of the blog settings in version 2.8.2 and earlier. And a really clever attacker can leverage this into a “remote code exploit” by taking advantage of a strange PHP feature called “Complex (curly) syntax“. The blogs of two of our customers were hijacked today by an exploit that does exactly this.

We won’t go into full details yet, because it doesn’t seem that the vulnerability has been published elsewhere (we’ve contacted the WordPress folks in case they weren’t aware). But we will say that the attack can’t succeed unless the server allows people to request “wp-admin” URLs with two consecutive slashes, so the following mod_security rule blocks it:

SecRule REQUEST_FILENAME "wp-admin.*//" "deny,status:412,auditlog"

So there are several reasons to make sure you’ve upgraded your own blog to 2.8.4. (The WordPress “automatic upgrade” feature usually makes this easy.) And if you run a server that hosts WordPress blogs, consider adding the two mod_security rules mentioned above to protect your users.

Update September 6: The new security problem we mentioned above is being widely discussed in posts like How to Keep WordPress Secure and Old WordPress Versions Under Attack. Although our customers have been protected against this particular new attack since August 12, as described above, you should certainly still upgrade your copy of WordPress to protect against other attacks.

Final update: The technical details of the problem in WordPress 2.8.2 and earlier were that WordPress was not trimming double slashes from paths like /wp-admin//options-permalink.php, which allowed anyone to load it. In addition, the “options-permalink.php” file was missing the if ( !current_user_can('manage_options') ) check that prevented any registered user from changing the permalink structure by accessing such a URL. So anyone who could register could also change the permalink structure. And a third issue meant that changing the permalink structure to include the bizarre text ({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+) caused WordPress to run remote code. The WordPress folks fixed these three bugs here, here, and here, respectively.