WordPress Security Predictions in 2009
Okay, deep breath, in 2008, we saw Cross-Site Scripting, SQL injection, SQL truncation, Cookie generation weaknesses, Directory Traversal, Arbitrary File Uploads and Cross Site Request Forgery attacks, to name a few?
A mouth full but it made for a very interesting 2008 case study of security developments in a popular open source PHP application.
The WordPress core code base continues to grow, adding support for new features and options, including feature updates to existing functions and new code such as Apple IPhone support.
Its recent WordPress 2.7 release had almost reached 1 million downloads. This new version will allow for automatic upgrades making the process easy, simple and well…. hmm.
Here are my predictions based on hard core facts *yeh right!*:
- Westi reported another attempt to backdoor WordPress installation/upgrade packages. I can see more fake backdoored WordPress archives and attackers trying to exploit the new EASY upgrade feature. I can foresee spoofing or DNS poisoning type attacks.
- More SQL Injection, Cross-Site Scripting vulnerabilities in the core code and/or new third party code that gets added to the WordPress package.
- As the low-hanging fruit becomes harder to find we may see another spurt of WordPress plugin attacks causing WordPress to provide a secure framework for WordPress plugin developers.
- Automattic’s acquisitions of PollDaddy, IntenseDebate, Gravatar etc. will lead to WordPress integration of these services. This may lead to web 2.0 attacks, mass compromise, worms etc.
- Increased targeted attacks against WordPress.com and related sites as it grows in popularity – this is inevitable.
There you have it! Hopefully if any of these "optimistic" predictions do occur, it’ll be reported and addressed. Till Tuesday, have a great weekend.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
Maybe you’ve seen this, maybe not.
http://www.securityfocus.com/archive/1/499505/30/0/threaded
Anyone can force an upgrade of wordpress from any location, unathenticated.
Suppose you can dns poison, MITM , the download itself = you can run what ever code on the targetted blog.
Doesn’t appear to be any signing, or reliable way to tell that the automatic d/l you’re applying has actually come from wordpress.org – the real one, that is. They appear to be relying on DNS! for security!
Crazy, Crazy.
zonknz, I completely missed this, thanks for bringing it to my attention. I’ll write something up on this.
Zonknz, that’s a DB upgrade, which is completely separate from the core upgrade feature which downloads and installs new files. You conflated the two. “[Y]ou can run [whatever] code on the [targeted] blog” is completely wrong.
It would be nice if Blogsecurity contributed to debunking common WP security myths or misconceptions like the above or in the Codex:
Matt, can you enlighten us then what protections exist in wordpress to ensure valid code is being applied and you’re not being MITM/dns poisoned and redirected in the wordpress core upgrade feature?
Code signing? https against a know cert? Or as i assert, are you relying on dns to assert validity of code?
DNS-reliance is a known factor in password resets, core upgrade, plugin installation, plugin browsing, pingbacks, update notification, pingomatic, and RSS/dashboard feeds.
If you have any examples of distributed PHP web applications that deal with DNS in an elegant, secure way I would love to learn more about them.
Let’s make sure many peoples’ heads are run over by cars before deciding whether to build traffic lights or not.
Go Habari !
https://habariproject.org/en/