Home

Previous Entry | Next Entry

Adventure of the XSS wp_footer() PayPal exploit

  • Dec. 3rd, 2007 at 8:58 PM
technical
How hard do I rock?  Let me give you an example.

Date:  The near future.

Scene: David's blog, a jewel of php code, with a few custom modifications to the WordPress framework.  Does anybody else have an <image> element in their <channel> in their feed-rss.php family?  Doubtful.  Oh, how about user friendly "there's more content this way" ellipses in their wp_trim_excerpt() function in their formatting.php?  Ha!  The world would be so much nicer if only they did.

But what's this?  There's danger brewing.

A vulnerability in the pingomatic server unleashes a feedback ping ripping a hole via XSS into every single wp_footer().  Everybody who posts, pings.  And everybody who pings gets spam added to their footer.  And everybody who pings suffers a debit from their PayPal account.

Never fear!  Matt Mullenweg's team of crack coders patches the hole the exploit accessed in the WordPress code.  But now WordPress users across the world must scramble to follow the tedious upgrade instructions.  And then re-apply their custom changes.

Oh, the humanity!  Why isn't David panicking?  Why isn't he in despair?  Doesn't he realize the danger to his blog?!  Doesn't he realize the tedium that awaits him?

Let's zoom in and see what he's doing...

David grabs a few dark chocolate covered espresso beans, and casually pops them into his mouth.  He ssh logs into his blog's directory.  He types,

svn sw http://svn.automattic.com/wordpress/tags/2.3.2/

and logs out.  He's done.  His blog is updated, protected, and his customizations are intact.  He turns up his MP3 player and goes outside to enjoy the sun.

(In other words: My blog is now a subversion sandbox.  Whee!)

Tags:

Comments

( 5 comments — Leave a comment )
[info]pastilla wrote:
Dec. 4th, 2007 03:06 pm (UTC)
:: daemon morphs into a penguin with glasses ::
| Reply | Thread
[info]dblume wrote:
Dec. 4th, 2007 05:54 pm (UTC)
I get insanely happy about the dumbest things.

The stuff above about my customizations, and how tedious it made upgrading was true. So making it a sandbox really helps.

This was as good as sorting out the garage.
| Reply | Parent | Thread
[info]superflytrap wrote:
Dec. 4th, 2007 05:56 pm (UTC)
Think you can re-explain for the layman? Or in my case, the Lame-man?
| Reply | Thread
[info]dblume wrote:
Dec. 4th, 2007 06:29 pm (UTC)
WordPress (and some of its themes), the engine I use for my blog, really has suffered XSS and wp_footer() exploits.

So everybody who hosts their own WordPress blog has to get the patches when they come out. (See the link to the tedious instructions above.) It's even worse if you customize the engine like I do.

Making my blog run directly out of a subversion sandbox means that updating to the latest (or any specified) code (while retaining my changes) can be done in one easy step.

I rock. (Well, automattic rocks, actually, for enabling me to rock.)
| Reply | Parent | Thread
[info]tpederson wrote:
Dec. 11th, 2007 10:31 pm (UTC)
Even though you'll have to explain this to me later to fully understand how much you rock, it's nice to see someone so happy with them self. I strive for that very same feeling my friend.

I heard some of the little people today saying "Yeah I'm in a subversion sandbox too... OK well sort of. Oh God, I don't even know what subversion sandbox is, I'll never be like Dave".
| Reply | Thread
( 5 comments — Leave a comment )