archGFX » security

WordPress 2.3.3 Spam Exploit

adam — Thu, 27 Mar 2008 16:24:56 +0000

If you run a wordpress blog, you should be reading Blogsecurity. This is the feed I use, that only includes the wordpress advisories. I think it's a damn shame that this feed isn't included in the wordpress planet that's syndicated across everyone's dashboard. Security is far more important than wordcamp.

I'm only bringing this up because there's a new WordPress 2.3.3 exploit that's as-yet unpatched. So far it seems to only affect blogs with open registration, but no one's yet sure what exploit is being targetted. So far the only stopgap solution is to create a directory in wp-content/ called 1/, and set the permissions to 000, using an FTP program:

While you're in there, you should also make sure your wp-content/ directory is set to 755, and you should set wp-content/index.php to 444, since the exploit seems to replace that file as well.

Shame on me

adam — Mon, 12 Nov 2007 13:59:25 +0000

I've been lax in my personal security. Until last week, I only had 5 or so passwords. 1 for bank-grade security sites that required a strong password, 1 for physical computers, a few old ones, and the kicker, 1 for everything on the internet. Evidently I either signed up for something not so safe, or authenticated in plain text somewhere unsafe. Or my "everything password" wasn't that secure.

Either way, someone guessed, stole, or cracked their way to my paypal account, and bought a couple hundred dollars worth of shareware via SWReg.org. The funds came from a savings account so my first warning actually came from paypal, who placed restrictions on my account after the first couple login attempts failed.

I called up to report the fraudulent charges, and while the woman did helpfully explain that I could have done this all without taking my fingers off the keyboard, it was a good thing. Besides being incredibly nice to someone asking questions from the FAQ, She also gave me a little shpiel about their new security keys, and offered to send me one. Given my love of 1) free shit 2) security (present idiocy notwithstanding) 3) gadgets, I think you can guess my answer.

It's a VIP token, a pretty badass little toy. You push a button and it generates a 6-digit number that's good for 30 seconds or so, which you use when you sign into your paypal + ebay accounts. Not only that, but since it's made by verisign, you can add it to your PIP openID as well. Now, in addition to having changed all my internet passwords, I've got ridiculously strong security on anything that I sign into with OpenID. I'm using it for this site with openID+ v2.0(released friday), although the previous versions have been glitchy.

Unfortunately, I still haven't finished with paypal yet. I have a premier account, which at some point required a land line. I no longer have a home phone, so they have to physically mail me something, to restore my account. That's just for the restrictions, though. They've already refunded the fraudulent charges.

Link Spam in WP2.3

adam — Sat, 20 Oct 2007 12:26:47 +0000

Anyone running wordpress 2.3 with the "Anyone can register" checkbox on, should go grab WordPress 2.3.1 Beta 1, as there's an exploit1 in the wild. Meaning spammers are already using it to insert any link they please into your blogroll. Another solution is to close registration and delete any users you don't know.

h/t Root

not traditionally an exploit, there is no user privilege escalation, but users are allowed to access to a feature that should be restricted

Buckshot, Ep. 3

adam — Fri, 25 May 2007 16:16:50 +0000

If Paul was gay, I would hate christianity less. Then again, without the misogyny and homophobia, would it even have survived this long?
No wonder people steal music:

So... I guess as a reward for being a "true fan" you get ripped off.

I love Trent Reznor. Although i have to say, the EURO max single is one of those things that people seem to like getting abused over.
WordPress 2.0 was so numbered to go along with the Web 2.0 buzz, but it lacked tags, which were the hallmark of web 2.0. it will be greatly amusing when the version that includes tags bumps the version number to 3.0. Web 3.0, of course, is supposed to be the semantic web. Surely, then, wordpress 4.0 will give us the semantics which will be dated by then?
98% of wordpress blogs are vulnerable. 50 is a small sample size, but there's no doubt in my mind that the figure is accurate. If upgrading weren't such a PITA, mightn't the number be lower, though?