Dr Dave has written a warning for WordPress users regarding a possible security problem.
He doesn’t go into details (probably a good thing) but warns people to turn off the ‘Anyone can Register’ option on your WP blog and delete any guests that you’re unsure of. He writes:
“Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.”
I’m not sure how valid his concerns are and haven’t heard any official word from WordPress to this point but it’s probably worth considering.
I’ve contacted Matt from WP for a comment and will update with what he has to say.
Read more at Dr Dave -thanks to Patrick for the email heads up
update: Just spoke with Matt. He’s not aware of the issue and can’t tell by the post if it’s something worth being worried about or not – but he’s going to contact Dr Dave to see. He also mentioned that 2.0.4 will be out shortly and it could be something that is resolved in that upgrade. All seems to be in hand.
Hm, a surprisingly content-free post from Dave. This has been the first I’ve heard of a security problem in WP affecting open-registration blogs.
I’ve recently been through the registration code but I don’t recall seeing anything which struck me as an obvious security problem.
Michael, in the past a 2.0.2 version is exploited using a security flaw related to wp-register option enabled. The part relevant:
A severe shell-execution exploit has been released by rgod. The vulnerability affects all versions of WordPress Blog System
Seguridad, WordPress, registro de usuarios y preocupación…
ProBlogger se despacha hace menos de una hora con una entrada títulada “Possible WordPress Security Problem” donde Dr Dave hace un anuncio (en mi opinión quizá algo alarmista) llamado “Critical Announcement affecting ALL WordPress …
Sorry, the copy and paste is stripped:
“The vulnerability affects all versions of WordPress Blog System 2.0.2 and before. The good news – the exploit works only for WordPress sites where the “Self User Registrration” (e.g. /wp-register) is enabled, so for now you can “patch” your system disabling the Self User Registration.”
Extract from: http://magazine.olrin.org/wordpress_security_flaw/
Yeah, this is why I unchecked “anyone can register” right away. It is just begging for problems later on.
WP has just entered 2.0.4 beta mode. It is stable but testers are having their play at it to make sure. When that comes out, this bug is fixed. As indicated on Dr. Dave’s blog, turn off “Anyone can register” to protect yourself for the time being. No need to panic – just be aware who yuou are giving access to your blog in any way.
Thanks for bringing our attention to this.
Hi,
As you probably guessed, I did not exactly leave out exploit details just to make a more exciting post… But I reckon Matt or any other developer should by now be able to confirm that I haven’t been on a hallucinatory streak.
I was never contacted by Matt (ahem), but he and a few other devs had been contacted about the issue, days before I blogged it. I sent another one with more details and personal suggestions this very morning (haven’t gotten any reply either, but no surprise). The original discoverer sent the first email and hadn’t heard back from anybody, except with a more or less “this is not really our problem, people will just have to adapt” answer, which prompted him to contact me, which in turns prompted me to communicate directly on it. I take full responsibility for my actions and carry absolutely no regret about them whatsoever, regardless of what some official WP devs may think would have been best.
At the time this post was written, 2.0.4 included absolutely no fix for the problem whatsoever, and if there was a modicum of awareness among some devs (following the first notification), I would have to fiercely disagree with their initial estimate of the situation and the solutions they were considering bringing.
Anyway, no need to panic, simply turn the damn option off and insure everybody else does the same until a tested fix is out.
[…] WordPress Guest Registration Security Concern I was reading through my RSS Feeds today, and Darren Rowse mentioned that there was a security concern pointed out to him from Dr Dave regarding a feature of WordPress that allows guests to the site to register as users on the site. […]
Thanks for the head up. I just turned this feature off on all my Blogs! I never paid attention to this option in the past. YIKES
What do you use for registering on ProBlogger?
[…] hey all 5 readers of this blog, I just saw this post indicating that WordPress may have a security issue related to open user registration. So, for now, until I get a chance to sort this out registrations are closed. If you want to register as a user on this site notify me via a comment. If you’ve got a wordpress blog, you might want to check into this as well. […]
Yeah, my site was hacked yesterday (my bday) and it was a nice bday gift. He left a message something to the affect, that in the name of Allah etc etc we hacked your site and there is no backup.
The hacker had even left his msn so I contacted him and he said that they were from the middle east and were having a hacking contest. Anyways, my site was #34. I could not figure it out and it possibly was that the account registration was open.
So a warning to everyone, disable registration for the time being.
Good luck and good night.
Kanwal
[…] Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: ………………….. And these were just from the English blogs that post about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing… […]
Kanwal (and possibly others):
Forgive me for mentioning the obvious, but this last exploit is not the *only* WP exploit. It is just the one that is not yet fixed in any release. This means that, if you are not running the very latest (for now, 2.0.3, and soon 2.0.4) version of WP, you are at risk, no matter what you do.
As I explained in my followup: somehow I suspect a lot of people do not even realize this and are still running some outdated (and therefore vulnerable, seeing how *every* single release of WP patched a previous security flaw) version of WordPress. This fact alone conforts me in my opinion that a serious change in communication policy was needed.
“, seeing how *every* single release of WP patched a previous security flaw) version of WordPress. This fact alone conforts me in my opinion that a serious change in communication policy was needed.”
I’d have to agree with Dr. Dave on that one. :)
And just to close the topic, I would have to point at the gloriously low-key handling of the situation by WP’s Powers That Be.
Is it me or, considering the Dashboard Feed is permanently flooded with pedestrian posts of little importance, a more ”urging” tone would have been appropriate for this particular security upgrade.
As it is, it barely stands one notch above:
”Oh, guys, check out our new update, it’s way cool and you’ll like it. And btw, it also kinda fixes some security problems”.
I am sure glad Matt doesn’t want people to panic. Because surely we wouldn’t want people to panic. Or to think for one minute that WordPress sometimes has security flaws in it.
That is interesting – just wondering … so what would happen if one has a wordpress blog that requires people to register to comment? I have mine turned off anyway but was curious to the above.
dr Dave: I have to admit that you may be frustrated (and although you didn’t go into specific details- something must have drastically happen to your blog) but looking at your comments, I am not sure how much more “urging” they can be when it specifically says that “it’s highly recommended for all users” in the latest dashboard post. You can’t really force somebody to do it unless you have some sort of automated mechanism.
From an unbiased point of view, I also personally think that you aren’t giving the WP guys enough credit and they will probably not be too appreciative of what you said and your tone. You may have to be reminded that WP is “free” and they are providing this valuable service at their own time/expense – so I think you may have to cut them some slack. I think they are doing a pretty good job trying to release bug fixes with each revision very timely. Trying to aggravate them is only going to make things worse and they really have NO obligation to you, me or anyone of us to fix anything WE tell them to fix.
No matter how you look at it with upgrading every flaw with each revision – isn’t that how normal software companies do it? You can’t possible fix all bugs in one go or else the software will never be released. I think they do a better job than Microsoft as at least they tell people a bug is fix rather than keeping quiet about it and pushing it out through service packs and automatic upgrades – and Microsoft is NOT even free! With software, there is no such thing as a bug free version – with every flaw that an individual wants fixed, there is always going to be another bug that is more important right to that particular individual. So I guess what I am saying is that, if they keep fixing bugs with each complaint or comment, they will never finish what they sought out to in the first place. It is call prioritizing. You have to let them keep with their priorities i.e. with what bugs they are going to fix for timely testing & revision release.
Try pointing out a flaw to Microsoft and see what kind of response they give you (if they even do respond) … maybe then that “low” key response from WP’s powers to be may not be that bad after all. ;-) Believe me as I have worked directly with Microsoft’s developers before.
From what I see – if one really hates the product, can’t stand it and complain about it’s flaws … why keep using it?
Don’t take this offensively or personally and I don’t mean to start a “comment war” here. I just feel that WP is an invaluable product and an asset to the blogging community. One just can’t ask much more from a “FREE” product. They could easily make us pay for it if we are too demanding and complained about their lack of timely manner in support, development, big fixes and certain other inadequacies.
Just my two cents.