Interview with beNi
BlogSecurity introduces an interview with Benjamin Flesch, ‘beNi’, who works as a Security Consultant in Germany.
BlogSecurity: Hello beNi, firstly, thanks very much for taking the time to do this interview with us.
You’re only 18 years old, what is your security experience so far?
beNi: ‘Security experience’ is hard to talk about. At the beginning I learned QBasic and tried to write my own text adventure, later – at about age 12 – I started lurking around in several security-related forums, had a look at some Trojans/virii and started to code my own, one in Visual Basic. Over the years, the topic of network security fascinated me even more.
BlogSecurity: Was it intentional to find the first WordPress security flaw?
beNi: Nope, I’m always manipulating everything my browser sends to the server. You won’t believe me how many flaws you see if you just append a ‘ to your useragent!
BlogSecurity: You released the first blog worm in history, which attempts to fix the affected vulnerabilities. How do you feel about that?
beNi: Pretty great, just like Robin Hood – in my eyes, this concept rocks :o). Later I realised how many homepages and web applications are affected by security flaws like XSS and even more critical things like SQL injection. I developed a habit of testing every page I visit for some basic issues and it’s sad that I’m successful with this in over 90% of all homepages I visit.
BlogSecurity: Do you think it is ethical to release this kind of worm? BlogSec has read blogs encouraging the use of the worm to fix their blogs, but is it possible that such a worm could have done a lot of unintentional damage?
beNi: Yes of course these flaws and/or such a worm could do a lot of damage if they’re not coded well. And yes, I think that it was ethical to release this kind of worm, because I chose the best ways to handle such a bunch of vulnerabilities:
a) I alerted the Wordpress staff via their bugtracker
b) I provided detailed information so that 3rd-party bloggers were able to create workarounds, but – sadly – it had a minor bug at the beginning (of course I fixed that) which ate some “+”-Signs and now that the Official Patches are out, I have taken it down
c) I provided a self-written patch worm, which guided the users through applying my workarounds
d) I DID NOT allow it to spread automatically
Plus the Administrator was able to see the patched parts and he had to apply them by clicking a button. In my opinion, that’s really enough for a not-bad worm :o)
Nevertheless, my worm just appended Workarounds to the relevant parts of the WordPress source code and it marked them with comments like /* SECURITY PATCH by .. */
BlogSecurity: Are you planning to search for additional holes in WordPress?
beNi: Maybe sometimes later this year, but at the moment I’m working on a Google.com PoC exploit.
The only WordPress-related thing I’m doing at the moment is searching for security flaws in popular WordPress plugins, I’ve already found some in runPHP (SQLInjection), SEOTitleTag and Akismet (both XSS) :o)
BlogSecurity: The latest WordPress update was mainly due to your findings, did you notify WordPress of the vulnerabilities you found? How did you feel about how quickly they provided a fix?
beNi: At the same time as I published my findings on my blog and email lists such as Full Disclosure, I submitted them to the WordPress Bugtrack (trac.wordpress.org). Nazgul, a member of the Wordpress Team, created patches for the flaws within several hours. The release of the fixed version took 6 days, and I think that’s okay.
BlogSecurity: What do you think about the rumours that WordPress is possibly going to undergo a full professional security audit? In your opinion, what should the security analysts focus on during the audit?
beNi: I never heard of this rumour, but this would definitely be a big bonus in security for WordPress. I think the analysts should focus especially on logic flaws and all the input/output validation, because by securing these areas they will fix loads of vulnerabilities. There won’t be many real ‘WordPress All Versions’ exploits in the future; the attacks will become more targeted, more precise and less noisy, using vulnerabilities in the specific setup of the attacked blogs. So take care of your blog and turn off the ‘Register’ function!
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
This was an interesting interview. But…
1) How can the software Benjamin released be called a worm when he “DID NOT allow it to spread automatically”? By definition, a worm is self-propagating, isn’t it?
2) Where’s the link to his own blog, which was specifically mentioned in the interview?
Gary, it would be trivial to make the worm self-propogate, I think beNi did not include this functionality for obvious reasons. His blog should be mentioned yes.
beNi, thanks for taking the time to answer these questions and thanks to Phil and Sarah for managing the interview.