The WordPress Security Update

Stefan Esser over at the PHP Security Blog is not happy. He’s just written a blog posted titled WordPress – developers totally nuts claiming that only hours after releasing version 1.5.2, the developers patched some additional security flaws and re-uploaded the download file without labelling it any differently. Stefan had previously contacted WordPress about security flaws in their product and had contributed some patches. The end result, according to Stefan’s claims, is that many WordPress users who downloaded the pre-updated version 1.5.2 will still be vulnerable to known and published security exploits.

Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress – irresponsible silent tarball update‘ without notice.

A similar rant about WordPress security by Martin Geisler can be found on his blog. His advice: “Remember to upgrade any installation you might have”.

Dougall Campbell, a developer for WordPress, responds to what he sees as a campaign of fear, uncertainty and doubt against the 1.5.2 release. Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include, but that the situation was rectified before the initial announcement of the release was posted, and therefore anybody who downloaded the archive after the posting of the official announcement is safe from the problem.

According to Stefan’s post the exploit in question involves a function in WordPress’s code intended to work around servers which have register_globals enabled. The function checks to see if register_globals is enabled in the PHP configuration, and if so it tries to unset each global variable that was created. The function inadvertently introduced an additional flaw – allowing remote users to bypass the protection that the function offered.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Stefan

    Just a “little” correction.

    “Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include…”

    This sounds as if they only forgot to put a fix into the release, but this is simply not true, because I downloaded the 1.5.2 release tarball to check if they had really fixed the SQL holes that I had reported. I realised that those were fixed and so I checked how they fixed the remote code execution. It turned out, that this fix was worth nothing because it was easy bypassable and so I sent them a patch to fix it. (7 hours before the replacement)

    And there are enough timestamps in the subversion tree, the release tarball and the blog posting, to prove, that the announcement was made ATLEAST 4 hours and 45 minutes before the tarball was replaced, and that the original tarball was created 9 hours before the replaced one.

  • Stefan

    “Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress – irresponsible silent tarball update’ without notice.”

    So the term “Update:” is no notice of changes? And you really compare a changed blog entry title with a silently fixed remote code execution hole? And btw. the blog title was changed only minutes and not hours after the Post.

    It was bad luck that planet-php and other aggregators were fast enough to get the explicit title. However it underlines that even in a very very short timewindow downloads are possible.

  • Anonymous

    PHP itself did such a thing with 5.0.4 or 5.0.3 (I don’t remember exactly) and it is quite a stupid thing for a mature project :-(

  • Stefan

    Mr. Anonymous, this is partly right. It is true that PHP 5.0.4 was rereleased. But a) it was mentioned on the download site and not done silently and b) this was because the original tarball was lacking files, it was broken. c) PHP would never change a tarball afterwards to silently fix a security problem.

  • Pierrick

    I thought this behaviour (rerelease silently) was proprietary software editors property! (I work in such a company and this is what we do everyday :-/)

    I can’t understand why WordPress developers did this!

  • http://www.rideontwo.com z0s0

    And.. now announcing the new SitePoint blogs… powered by WordPress!

  • ChiliJ

    I thought this behaviour (rerelease silently) was proprietary software editors property!

    Perhaps wordpress is going proprietary.. lol

  • ce

    about the PHP :-)
    a) mentioned on the download site!!! the right place is the front page!!! I will never check the download page if there is no new version. now I have a file called php-5.0.4.tar.bz2 I should check EVRY TIME if it is the correct file (I still have somewhere this buggy file)
    b) lacking files from PEAR ok, not a security problem, but still a bug
    c) you never say never :-)

    P.S. I don’t know wordpress at all (haven’t heart of it until now), I am just disapointed by PHP from their style of development the last few months/years, and I am pressed to try alternatives thats all (just a fit of nerves) peace! :-))

  • Pingback: WordPress - XOOPS CHINA

  • http://dddsoft.com DDDSoft

    Thx, This a good site!

    http://dddsoft.com

  • http://# TreeFrog

    Terrific Blog you have. Peace Out.
    TreeFrog

  • http://# JiggyWittit

    Kewl blog you got goin on up here.
    Peace, JiggyWittit

  • wvrvvspovp

    Hi! Very nice site! Thanks you very much! tivwxiewjipe

  • itlitjacgg