wow, that is not nice.

Seems to affect some admin pages too, could be nasty.

[...] BlogSecurity meldet, gibt es in WordPress eine Redirect Schwachstelle, die einen beliebigen Redirect ermöglicht. WordPress meldete wohl bereits, diese Fehler in Version [...]

I’ll be curious to see how long this stays unpatched. Any suggestions on a mod_security rule to protect installs in the interim?

Phuk me, is it me being cynical or do the wordpress developers HAVE NO DAMN CLUE ABOUT SECURITY?????

It’s not like the information is hard to find. Hell we started OWASP nearly 8 years ago now, the OWASP guide to building secure applications has millions of downloads and yet we still see rubbish code like Wordpress being developed

Come on, its 2007, Secure Development PLEASE!

For those running mod_security (and if you aren’t, you need help!!)

SecFilterSelective REQUEST_URI “wp-pass\.php\?\_\wp\_\http\_\referer\=”

It’s not sexy, but right now I don’t have the time to go through all the variables to see what else is vulnerable.

On a side note, maybe we need a mod_security/mod_rewrite page on blogsecurity.net where people can add their rules to help stop attackers from hitting vulnerable code due?

Thoughts?

Daniel,

Perhaps you could put an article together for BlogSecurity? I think its a necessary skill when using something like WordPress. It won’t help much with hosted sites, but should definately an article like this would be invaluable.

Ok will do it this weekend. I have about 15 rules for wordpress alone, so should share the wealth.

In the meantime, has anyone tried to engage with the WP developers in getting some framework in place to stop these basic bugs?

ps.. thanks for formatting the comment :)

Daniel, Stefan mentioned to me that WordPress are currently looking at security vendors to have a complete code audit - I have no further information about this.

On a side note, we have tried to contact Matt Mullenweg to no avail for an interview to discuss some of these issues.

Daniel,

a recommendation from me to you and other OWASP members.

Read the mod_security code. Maybe THAT will stop you from advocating it.

Exciting times ahead maybe?

[...] BlogSecurity » wp-pass Redirect Vulnerability - [...]

There is also a very nasty cross-domain redirect on the latest version of Wordpress. I contacted security [ at ] wordpress.org about a week ago but no response yet :(

I will pass the details to David Kierznowski so we can post them @ blogsecurity.net

[...] If you read about Wordpress bugs, you have probably seen the alert about wp-pass. In this post we’ll discuss a possible fix, that may help some people out. The vulnerability is present in version 2.2.1, so this fix will probably hold you over until 2.2.2 is released. You can read more on this over at BlogSecurity. [...]

[...] the Clock on WP 2.2.2 July 9th, 2007 There’s a vulnerability in WP 2.2.1. BlogSecurity is who brought it to my attention. After being burned by vulnerabilities before—and having gotten absolutely slammed over the [...]

[...] que en estos días ando algo ocupado y sin muchas ideas para publicar, aprovecharé la oleada de reportes de seguridad en WordPress para comentar algunos bugs que todavía no están corregidos en la [...]

2 weeks are over, and no sign of any sort of fix landing in the repository. All WordPress people did for 2.2 branch is to bump PHP requirement from 4.1 to 4,2, fix glitch when removing link and adding new configuration option, and add some check of post content type.

Some preliminary check shows that not only the freely downloadable code base is vulnerable, but http://*.wordpress.com/ as well. Uhh…. this can be either good or bad depending on POV.

[...] wp-pass.php redirection [...]

Checking the server logs recently on one of my blogs showed me that this kind of attack is happening occasionally. I keep up to date and now running WP 2.2.3 and it gets declined and just get a 406 error.

[...] been stopped by the fact I update my WordPress install regularly. The common trick is using the wp-pass.php vulnerability, which was apparently fixed in wp 2.2.2. Basically, my logs show a 404 from this [...]