December 3rd, 2007

technical

Adventure of the XSS wp_footer() PayPal exploit

How hard do I rock?  Let me give you an example.

Date:  The near future.

Scene: David's blog, a jewel of php code, with a few custom modifications to the WordPress framework.  Does anybody else have an <image> element in their <channel> in their feed-rss.php family?  Doubtful.  Oh, how about user friendly "there's more content this way" ellipses in their wp_trim_excerpt() function in their formatting.php?  Ha!  The world would be so much nicer if only they did.

But what's this?  There's danger brewing.

A vulnerability in the pingomatic server unleashes a feedback ping ripping a hole via XSS into every single wp_footer().  Everybody who posts, pings.  And everybody who pings gets spam added to their footer.  And everybody who pings suffers a debit from their PayPal account.

Never fear!  Matt Mullenweg's team of crack coders patches the hole the exploit accessed in the WordPress code.  But now WordPress users across the world must scramble to follow the tedious upgrade instructions.  And then re-apply their custom changes.

Oh, the humanity!  Why isn't David panicking?  Why isn't he in despair?  Doesn't he realize the danger to his blog?!  Doesn't he realize the tedium that awaits him?

Let's zoom in and see what he's doing...

David grabs a few dark chocolate covered espresso beans, and casually pops them into his mouth.  He ssh logs into his blog's directory.  He types,

svn sw http://svn.automattic.com/wordpress/tags/2.3.2/

and logs out.  He's done.  His blog is updated, protected, and his customizations are intact.  He turns up his MP3 player and goes outside to enjoy the sun.

(In other words: My blog is now a subversion sandbox.  Whee!)

[Edit January 17 2011]: The above story is over three years old and is fiction, based loosely on real-life events.  Dark chocolate covered espresso beans really are delicious, though.  Some other things have changed since 2007.  Notably:
  • Backdoors installed into your Wordpress blog aren't automatically removed when you simply update the sources.  There could be eval() calls in your downloaded theme or in database table rows, for example.
  • Deploying your working Version Control System sandbox onto the web isn't a good idea.  Make your changes in your sandbox, and follow a deploy procedure that gets the desired files onto the server.
  • Wordpress now has an automatic update feature.  You can update Wordpress's source code from its control panel.