David (dblume) wrote,

Adventure of the XSS wp_footer() PayPal exploit

How hard do I rock?  Let me give you an example.

Date:  The near future.

Scene: David's blog, a jewel of php code, with a few custom modifications to the WordPress framework.  Does anybody else have an <image> element in their <channel> in their feed-rss.php family?  Doubtful.  Oh, how about user friendly "there's more content this way" ellipses in their wp_trim_excerpt() function in their formatting.php?  Ha!  The world would be so much nicer if only they did.

But what's this?  There's danger brewing.

A vulnerability in the pingomatic server unleashes a feedback ping ripping a hole via XSS into every single wp_footer().  Everybody who posts, pings.  And everybody who pings gets spam added to their footer.  And everybody who pings suffers a debit from their PayPal account.

Never fear!  Matt Mullenweg's team of crack coders patches the hole the exploit accessed in the WordPress code.  But now WordPress users across the world must scramble to follow the tedious upgrade instructions.  And then re-apply their custom changes.

Oh, the humanity!  Why isn't David panicking?  Why isn't he in despair?  Doesn't he realize the danger to his blog?!  Doesn't he realize the tedium that awaits him?

Let's zoom in and see what he's doing...

David grabs a few dark chocolate covered espresso beans, and casually pops them into his mouth.  He ssh logs into his blog's directory.  He types,

svn sw http://svn.automattic.com/wordpress/tags/2.3.2/

and logs out.  He's done.  His blog is updated, protected, and his customizations are intact.  He turns up his MP3 player and goes outside to enjoy the sun.

(In other words: My blog is now a subversion sandbox.  Whee!)

[Edit January 17 2011]: The above story is over three years old and is fiction, based loosely on real-life events.  Dark chocolate covered espresso beans really are delicious, though.  Some other things have changed since 2007.  Notably:
  • Backdoors installed into your Wordpress blog aren't automatically removed when you simply update the sources.  There could be eval() calls in your downloaded theme or in database table rows, for example.
  • Deploying your working Version Control System sandbox onto the web isn't a good idea.  Make your changes in your sandbox, and follow a deploy procedure that gets the desired files onto the server.
  • Wordpress now has an automatic update feature.  You can update Wordpress's source code from its control panel.
Tags: code, wordpress

  • Wonderful Early Father's Day

    We've got some neighborhood commitments on Father's Day, so my family decided to celebrate an early Father's Day today, just for me. My one…

  • More JPop OP/EDs (Bonnie Pink, Sowelu, Amuro, etc.)

    I must be in a wistful mood. Some of the songs making it into my frequently played lists are various openings and endings to dorama and anime. I've…

  • Black Lagoon's Anime OP

    As a matter of rule, I don't watch the opening or closing credits for anime on DVD. I'll watch them once to see how they look, but unless their…

  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded