Recent discussion on the wp-hackers mailing list has convinced me that there is a major security hole in all recent versions of WordPress that enables an attacker to delete posts. The vector for this attack seems to be including certain links in comments which are then viewed or modified by the administrator. I don’t fully understand the claimed attack yet, but it seems plausible, and Brian Layman says he has a proof of concept. I hope I’m wrong about this, but in case I’m not I’ve temporarily disabled comments on this and my other WordPress hosted blog.
I don’t like doing this. I much prefer to have open comments. Please note that this is purely a temporary plug for a possible security hole. I hope that within the next few days either I’ll be convinced that I’m wrong, and there really is no hole; or the hole will be plugged. Either way comments should be back on soon.
As a side note, my initial analysis of the possible hole indicates that it’s at least partially a result of a failure to adhere to REST principles that I’ve written about before.
Note: I’m not sure about any of this. I’m still investigating. However at this point I’ve read enough to make me worried, and I’d rather be safe than sorry. In the meantime if you need to get in touch with me, use e-mail instead of comments. I can post a few comments manualy if you like.
How to Turn Off Comments in WordPress
This is a two-step process. First using the mysql command line client or phpmyadmin, issue the following SQL command against your WordPress database:
UPDATE wp_posts SET comment_status=”closed”;
This closes comments on all existing posts. Second, in the WordPress admin view go to Options>Discussion and Uncheck “Allow people to post comments on the article”. This blocks comments on future posts.
Once the bug is fixed (or discovered to be invalid) you can turn comments back on for all posts by issuing this SQL command:
UPDATE wp_posts SET comment_status=”open”;
The problem seems to be what’s been called a “Cross Site Request Forgery” (CSRF).
It may be the case that all that’s required to prevent this is to sanitize all URL containing HTML tags such as
img. If that’s the case, I can probably just block those tags and re-enable comments. I don’t think anyone’s ever left an img in a comment here anyway.
There are also issues with drafts of articles, but I can easily set the blog so I’m the only one who’s allowed to submit drafts without horribly inconveniencing anyone.
The Problem’s Real
I’ve now verified the proof of concept, and the bug does exist. It is possible for a remote user to trick the administrator into deleting a post from the blog. This happens with the default install of WordPress 2.0.2 (and probably other versions.) At no point is the administrator asked to confirm that they wish to delete the post. At no point are they given any notice that they have deleted the post. If they aren’t paying very close attention, they may not even notice that that’s what they’ve done.
I haven’t packet sniffed all the HTTP messages. However I’m 90% sure it’s all happening via GET. Haven’t we learned by now that you don’t use GET to DELETE pages?
In one way it’s not quite as bad as I thought. For the attack to work, the link has to be followed from the wp-admin page, not from any random page on the Internet. This means the URL has to be placed in the comment, and then followed from the admin page. A good prophylactic measure would be to just not follow any links from the wp-admin page.
This problem would not be nearly as bad if WordPress had Undo functionality. As I’ve noted before, Confirmation is not a substitute for Undo. This bug works partially by avoiding a customary confirmation check.
Regular backups so you can restore any deleted posts are also important. Long term this requires some fixes deep inside WordPress. However, since it seems there’s an effective prevention measure I can take (not following 3rd party links from wp-admin), I’m going to turn comments back on.