WordPress 3.0.2 update (and mod_security rule)

If you use WordPress blog software on your site, be sure to upgrade to WordPress 3.0.2 as soon as possible. The upgrade contains an important security fix for a vulnerability that allows any WordPress “author” to become an “administrator”.

Although all WordPress users should upgrade right away, we’ve added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

The WordPress bug

The exact nature of the security flaw is described in this blog post. Simply put, if an author of a post creates a trackback that contains a single quote character in WordPress 3.0.1 or earlier, they can make WordPress run database commands of their choosing. Those database commands could be used to make the author an administrator, for example.

To block this, we’ve added a mod_security rule that prevents anyone from creating a trackback URL that includes a single quote character (which is extremely unlikely to occur legitimately):

SecRule SCRIPT_BASENAME "^post\.php$" "deny,status:412,auditlog,chain"
SecRule ARGS_POST:trackback_url "'"

Again, we’ve already applied this rule to our servers, so our Web hosting customers are protected. But if you run a server that hosts WordPress blogs, you should consider adding this mod_security rule to protect your users, too.