Stefan Esser over at the PHP Security Blog is not happy. He’s just written a blog posted titled WordPress - developers totally nuts claiming that only hours after releasing version 1.5.2, the developers patched some additional security flaws and re-uploaded the download file without labelling it any differently. Stefan had previously contacted WordPress about security flaws in their product and had contributed some patches. The end result, according to Stefan’s claims, is that many WordPress users who downloaded the pre-updated version 1.5.2 will still be vulnerable to known and published security exploits.
Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress - irresponsible silent tarball update‘ without notice.
A similar rant about WordPress security by Martin Geisler can be found on his blog. His advice: “Remember to upgrade any installation you might have”.
Dougall Campbell, a developer for WordPress, responds to what he sees as a campaign of fear, uncertainty and doubt against the 1.5.2 release. Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include, but that the situation was rectified before the initial announcement of the release was posted, and therefore anybody who downloaded the archive after the posting of the official announcement is safe from the problem.
According to Stefan’s post the exploit in question involves a function in WordPress’s code intended to work around servers which have register_globals enabled. The function checks to see if register_globals is enabled in the PHP configuration, and if so it tries to unset each global variable that was created. The function inadvertently introduced an additional flaw - allowing remote users to bypass the protection that the function offered.
August 18th, 2005 at 4:44 am
Just a “little” correction.
“Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include…”
This sounds as if they only forgot to put a fix into the release, but this is simply not true, because I downloaded the 1.5.2 release tarball to check if they had really fixed the SQL holes that I had reported. I realised that those were fixed and so I checked how they fixed the remote code execution. It turned out, that this fix was worth nothing because it was easy bypassable and so I sent them a patch to fix it. (7 hours before the replacement)
And there are enough timestamps in the subversion tree, the release tarball and the blog posting, to prove, that the announcement was made ATLEAST 4 hours and 45 minutes before the tarball was replaced, and that the original tarball was created 9 hours before the replaced one.
August 18th, 2005 at 5:00 am
“Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress - irresponsible silent tarball update’ without notice.”
So the term “Update:” is no notice of changes? And you really compare a changed blog entry title with a silently fixed remote code execution hole? And btw. the blog title was changed only minutes and not hours after the Post.
It was bad luck that planet-php and other aggregators were fast enough to get the explicit title. However it underlines that even in a very very short timewindow downloads are possible.
August 18th, 2005 at 5:02 am
PHP itself did such a thing with 5.0.4 or 5.0.3 (I don’t remember exactly) and it is quite a stupid thing for a mature project :-(
August 18th, 2005 at 11:29 am
Mr. Anonymous, this is partly right. It is true that PHP 5.0.4 was rereleased. But a) it was mentioned on the download site and not done silently and b) this was because the original tarball was lacking files, it was broken. c) PHP would never change a tarball afterwards to silently fix a security problem.
August 18th, 2005 at 5:14 pm
I thought this behaviour (rerelease silently) was proprietary software editors property! (I work in such a company and this is what we do everyday :-/)
I can’t understand why Wordpress developers did this!
August 18th, 2005 at 9:34 pm
And.. now announcing the new SitePoint blogs… powered by Wordpress!
August 18th, 2005 at 11:01 pm
I thought this behaviour (rerelease silently) was proprietary software editors property!
Perhaps wordpress is going proprietary.. lol
August 19th, 2005 at 4:36 am
about the PHP :-)
a) mentioned on the download site!!! the right place is the front page!!! I will never check the download page if there is no new version. now I have a file called php-5.0.4.tar.bz2 I should check EVRY TIME if it is the correct file (I still have somewhere this buggy file)
b) lacking files from PEAR ok, not a security problem, but still a bug
c) you never say never :-)
P.S. I don’t know wordpress at all (haven’t heart of it until now), I am just disapointed by PHP from their style of development the last few months/years, and I am pressed to try alternatives thats all (just a fit of nerves) peace! :-))
October 12th, 2005 at 11:44 pm
[…] 好久没上SitePoint的网站,今天在调试一个程序时用到它的rss,偶然发现它居然不知从什么时候换成了WordPress,偷偷摸摸的,就像The WordPress Security Update里所争论的 […]
February 13th, 2006 at 9:27 am
Thx, This a good site!
http://dddsoft.com
February 21st, 2006 at 11:41 pm
Terrific Blog you have. Peace Out.
TreeFrog
March 6th, 2006 at 9:54 am
Kewl blog you got goin on up here.
Peace, JiggyWittit
March 1st, 2007 at 1:31 am
Hi! Very nice site! Thanks you very much! tivwxiewjipe
March 1st, 2007 at 6:34 pm
jitcplm