BlogSec News

Welcome to the BlogSec News Portal, feel free to contribute news, plugin reviews, security advisories etc. Knock yourselves out.

I’m releasing an ebook next week, The Hard Core Guide to Locking Down WordPress, and would love some feedback on it. Anyone interested please send me an email (mclark @ my domain) and let me know your site’s URL.

Michael, keep us informed, sounds like a great project.

I thought you guys might be interested in our new product.
( http://firewallscript.com ) Its very much like modsecurity, but easier for the end user to setup- has a
nice admin control panel, and it even runs on shared hosting. This is a very important feature, as a large percentage of the blogging community does not have the need/means for a dedicated server so by using our software, they can have the full benefits of a web application firewall with its only requirement being PHP5.

Dan, its a shame you guys don’t provide a free, open source version.

In response to the growing concerns that social network site user’s have had over privacy, Flugpo ( http://www.flugpo.com )has sponsored the development of a plug-in to help counteract the collection and sale of personal information.

This plug-in will be available through MyDataIsMyData.org. The plug-in (a small toolbar) allows each user to decide what information they will delete off their computer and what they will make visible as well as alerting them whenever they enter a site that is collaborating with a social network to sell their personal information. Selling private information for profit unbeknownst to the user’s is an abuse of their trust and MyDataIsMyData.org hopes to empower these user’s by allowing them to control the amount of personal information that they make visible.

Was playing with Automatic’s Gravatars (central blog user pictures). I think they have done it the right way by uploading all images to their servers.

I can’t think of any immediate security concerns, unless the Gravatars server is actually compromised. If this is done, it means an attacker could perform some rather devious attacks, affecting all blogs using Gravatars.

Flavio Copes has provided an Italian version of our popular WordPress Whitepaper.

BlogSec Changes: Modified Feedburner to allow page feeds; Added Gravatars; Added Feeds for BlogSec-News; Added BlogSec-News Banner on main.

I’ve just released a new tool for your security arsenal to be used to protect your WordPress installation. It’s a set of scripts that will monitor the WordPress files for changes. Details at http://www.planetmike.com/goto/720

Hello! Some time ago I released a plugin for Wordpress: DigoWatchWP.

The plugin will monitor your WP-posts and pages. Whenever an entry has been changed it informs you via email. So if you receive an email and you have nothing changed you should have a closer look at your post or page. Maybe somebody changed your post or page to include a spam-link (e.g. links to OnlineCasino, adult-content are very popular).

The plugin can be downloaded here: http://wordpress.org/extend/plugins/digowatchwp/

Ciao
digo
http://www.showhypnose.org

The WPLite project looks quite cool. Check it out here: http://mahalkita.nanogeex.com/wplite/

Will have to take a look at this in more detail.

Security in 2.3.3

I have several questions regarding security and version 2.3.3.

1) re 2.3.3 – Is version 2.3.3 secure? Are there any security issues with this version?

2) re 2.5 – Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

RE: Security in 2.3.3

1) re 2.3.3 – Is version 2.3.3 secure? Are there any security issues with this version?

There have been some whispers in the dark so to speak, but no hard evidence that this version is vulnerable, see: http://blogsecurity.net/wordpress/wordpress-231-sql-injection-vulnerability/

2) re 2.5 – Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

No, I believe 2.3.3 is unaffected by some of the recent vulnerabilities in 2.5x.

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

Applying these guidelines would certainly provide additional layers of security buying you time to apply the needed fixes as they are released, however, it cannot guarantee your security.

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

At the moment a number of people are still using the latest 2.3x branch, however, WordPress does suggest you upgrade to 2.5.1.

Hope this helps.

I’ve just resolved a number of bugs in wp-scanner, including DNS resolving issues, CSS and the wp-scanner plugin page.

Look out for the new version its coming soon!

Regarding spambam – about 3 hours ago all of the WP sites I manage who have the spambam plugin installed, started to spit out error messages. Here’s an example:

Warning: session_start() [function.session-start]: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed: Permission denied (13) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188

Warning: session_start() [function.session-start]: Cannot send session cookie – headers already sent by (output started at /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php:188) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188

Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php:188) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188
Warning: Unknown: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed: Permission denied (13) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0

I’ve been mailing back and forth with my host to solve this issue, but all they could come up with in the end, was to delete the spambam plugin.

I’m particularly concerned about the first line in de error messages: Warning: session_start() [function.session-start]: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed

/home/aborigin/tmp is not any site of mine…

The versions of WordPress are 2.6.5 and 2.7; the only thing these sites had in common was that they all had spambam activated.

Does anybody here have a clue what happened?

Thanks in advance,
Patricia

Hi Patricia, it looks like Spambam is trying to use a session when one has already been initialised.

I’ve sent Gareth (the author) an email about this but I’d suggest you contact him directly, details here if you continue having problems:

http://wordpress.org/extend/plugins/spambam/

Hi Patricia,

I’m not aware of Spambam having problems with sessions in this way. Maybe your php installation isn’t configured with sessions?

If you’re sure it is let me know the spambam version and I’ll take a look. Spambam is quite old now and I do plan to update when I get chance.

Hi,
I just came across this interesting read about WP’s ./wp-admin/install.php posing a veritable hole in case the db-connection fails:

http://perishablepress.com/press/2009/05/05/important-security-fix-for-wordpress/

Cheers and keep up the good work,
Tom

Can I ask where do you need to edit, to set your username,
using the code shown in the WP Whitepaper below?

#this file should be outside your webroot. AuthUserFile /srv/www/user1/.htpasswd AuthType Basic AuthName “Blog” require user youruser #making this username difficult to guess can help mitigate password brute force attacks.

Thanks I have it all working but dont know what the username is or how to set my own.

Any comments on the admin.php security vulnerability fixed in WP 2.8.1? http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked has a good summary, and if certain plugins are installed it can be used as a springboard to gain admin privileges.

@Mark – you need to run “htpasswd /path/to/htpasswd myusername” where the htpassd is the file created earlier with “htpasswd -c /path/to/htpasswd”. However… I have not yet managed to get htpasswd for the wp-admin directory working with WP 2.7, though I had it working fine for WP 2.6.5 (different blog and not so many plugins).