2.5.1: Looks like there is still a hole

This is enough to make me giggle, sorry guys and girls.

Whooami: Let me start with the simple point: Adding an extra plugin (which will log and slow down all activity) onto 100+ blogs isn’t something I look forward to doing, especially because like many people, I use XMLRPC tools to post remotely (rather than using the wordpress edit system) so those log files would end up rather full. Also, on that sort of volume (and with the number of people comment spamming) it is ANOTHER hole open for people to kill your system by overloading log files. I only use apache logs (bulking system) because they are backed up and then wiped every 24 hours, so that there isn’t as much change of overflow. If anything, posting that you are using this sort of thing just created a vunerablity for your blogs (DoS). You might want to think about that.

Otto: Hackers scan routinely looking for open files and open directories. Yes, they are automated, and yes, they often have a list of things they are looking for, but they are scanning site to site looking for them, often going by IP address rather than domain. No, they don’t scan individual files (DUH!) but they are scanning around you system looking for them. Check your apache logs, you will be shocked.

As for cutting off at the MORE point, please understand: 2.5.1 RSS no longer pays any attention to the more tag, so they can’t be using RSS to source the posts. If you access a post (pull it down) and then edit and return it, you would have the full post information. They only have what would show on page 1 of a post, so therefore they very likely got it from just scanning the page (raw html) looking for the first post. That is also how you get the post ID number (so you can directly screw with it).

I leave this in the hands of TPTM. Having a junior high school debate isn’t going to fix it.

rawalex,

Whether or not you choose to do anything to further substantiate what you are saying is, of course, up to you. Keep in mind, though, that you are the one suggesting that you would need to add the plugin to 100+ blogs — I have not indicated anything of a kind. I find it odd, at best, that you see that as an all or none proposition, though. But that’s your gig.

There are some people that are willing to “go the extra mile” as it were, to help the community. Then there are people like you. (I dont mean that as an insult, it’s just a distinction)

If anything, posting that you are using this sort of thing just created a vunerablity for your blogs (DoS). You might want to think about that.

And I guess you havent discovered yet that Apache has mechanisms for dealing with these. Alas. I guess we are best to leave the web mastering to the web masters and the network/systems administration to people thats actually administer networks.

Lastly, I cant help but laugh at you calling **this** a jr. high School debate — one of the people that you have been having that debate with is a member of the dev team and an Automattic employee — Im fairly confident he’s out of Jr. High too.

That someone, anyone, asks for more info, or for more clarification, or god forbid, might even disagree with you doesnt make their point of view any less valid than yours.

You may very well be correct in what you are saying — but insulting ppl that dont automatically agree with you ..

meh.

whooami, I hate getting into anything with you, because you some from an attitude of being superior, of claiming “nothing happening here”. I don’t come to this board with piffling little issues, I don’t spend time here discussing why my text won’t align or the like. When I come to a support board (apparently run by the company) I am hoping to deal with someone from the company, and not a third party that may or may not know what all is going on. I appreciate your comments in some ways, but as you are a plugin designer, I would suspect that your answer would more than likely be to add a plugin. That’s your gig, enjoy it.

If I am going to log stuff, I would have to log everything. These guys aren’t always going to come back and hit the same few blogs I have seen this on so far, but they are rather likely to hit any of the other ones. Basic thoery, if you have 100 potential targets and 5 have been hit, you are 19 times more likely to have one that wasn’t hit to see it next rather than one that was already hit. So I can randomly set up your plugin on 1 domain and hope they get around to it, or put it on all over them and hope to catch something. That is very, very basic stuff.

This all becomes a jr high school debate when it is about piffling matters rather than the issue at hand. If Otta is a developer, I am surprised that he isn’t aware that the MORE tag no longer affects the RSS feeds, comsidering that not only has it been in threads here, but also apparently in the dev areas (and not surprisingly the solution to the issue is yet another plug in…. *sigh*). I am trying to stay focused on the key issue (Some people and I have all reported the same basic issue with 2.5.1, and I have logs that show it was done using a post command to xlm-rpc). If there is a hole, it needs to be looked for, checked, and considered.

No, I don’t have enough information to point to a single method, but I would suspect that the method is VERY similar to previous injection / edit tricks. This has happened on a few different versions so far, and makes it pretty clear that the code in that area of wordpress may not be the best and perhaps should be addressed overall, rather than worrying about patching what has already been patched at least 3 times that I am aware of in the last six months.

As for insults, well, honestly, you started it. Try to turn down your arrogance a little bit, you don’t know everytihng ine world. You would probably do a much better job of helping people out if you did.

If I am going to log stuff, I would have to log everything. These guys aren’t always going to come back and hit the same few blogs I have seen this on so far, but they are rather likely to hit any of the other ones. Basic thoery, if you have 100 potential targets and 5 have been hit, you are 19 times more likely to have one that wasn’t hit to see it next rather than one that was already hit. So I can randomly set up your plugin on 1 domain and hope they get around to it, or put it on all over them and hope to catch something. That is very, very basic stuff.

If it’s basic stuff then why aren’t you acting on it?

You’ve presented an argument that does not allow any progress. People have suggested that you should attempt to glean more information by loging your xml requests and basically you’ve put up a blocker to that by saying it’s not worth doing on one blog and too much effort to do on 100. I guess in the end that is up to you, but noone else is likely to be able to magically discover how your blogs were compromised.

Incidentally you can either have an argument akin to your 19:1 theory or you can have an argument that the same block will get hit more than once. Using both arguments is contradictory. In fact based on your 19:1 idea on your blogs that have already been hit you should just do nothing.

Time for a cold shower everybody. There’d be a lot less chaos in the world if people would listen to each other and to people actually knowing what they’re talking about…

mrmist: It isn’t just a question of 1 or 100… it is a question that logging XML requests on that scale could in itself leave the site open for a DoS attack (every one of those comment spammers uses XMLRPC… I have blogs that gets hundreds of those a day). Open end logging isn’t a good thing, that is for sure. I don’t intend to create myself another 8 hour a day job reviewing wordpress logs looking for a single hacker request in a sea of comment spams and other XMLRPC abuse attempts. The 19:1 is to make a point, neither you nor I would know what a hacker would do next. We don’t know is this is just some script kiddie running someone else’s tool. We don’t know how long their list of blogs is that they are checking. Anyway, the point is I don’t want to spend the time and the effort (and open my servers up to a DoS attack) by opening up 100 log files. Cherie offers answers that seem simple, but have many implications beyond the obvious.

travel-junkie: Unfortunately, the answers that come on a free for all board is tons of noise, and bunch of denials, and a solid amount of finger pointing… all without accepting the basic concept that more than one person is reporting an issue. I hope that a more complete log of one of these attacks is found, so that the developers can get to fixing the issue rather than running a milti-page thread that really doesn’t accomplish anything.

1.

whooami, I hate getting into anything with you, because you some from an attitude of being superior, of claiming “nothing happening here”.

actually, i haven’t said any thing of a kind — in fact, every time the opportunity to say that has arisen, Ive gone out out of my to make allowances, and say that it’s possible — JUST to avoid you accusing me of that.

I said:

..irrespective of any potential WP flaw.

the above doesnt mean there isnt one.

I said:

I am NOT saying that the potential for an issue isnt there; I am simply saying that 1+2!=4

That ought to be self-evidential

I said:

you may very well be correct in what you are saying.

How many more different ways do you need me to reiterate that the possibility exists that you are right?

2.

If Otta is a developer…

I never indicated who it was .. and I dont see that it matters when my larger point should have been that regardless of who you deal with, you owe them the same respect — employee or not.

I am hoping to deal with someone from the company..

You should have remembered from your last, similar experience that wordpress developers do not frequent these forums. It’s been reiterated time and time again on these forums. That is why they have an e-mail address — that is why there are mailing lists.

3.

but as you are a plugin designer, I would suspect that your answer would more than likely be to add a plugin.

I am also an enduser, so that’s a facetious argument. I just happen to have written a plugin that does the work.

Heck, give me the contents of your wp-config.php file, and I can make your posts say anything at all.

Never a truer word was written, and I’ve seen this time and time again when cleaning up behind miscreants who have exploited unmaintained (“Upgrade? UPGRADE!? I don’t need no stinking upgrade!) WP installations.

Not to mention those that do a fresh install but reuse previously exploited passwords, or those exceptionally bright folks that not only use the same password for their admin WP user, but use the same credentials for the database user and their ftp user.

These people can’t be helped, at all, until they start to use some common sense password management techniques. A new install of a “bullet-proof” version of anything is pointless if you re-use passwords from previously exploited blogs, or have those same passwords set for your database or ftp user.

rlparker: it is one of the reasons why during the upgrades I did from 2.3.3 to 2.5.1 that all admin passwords were changed, because in most cases admin is the only actual user on most of the sites. Going through the process and upgrading passwords is always a good thing. Not allowing the same passwords on multiple items is also a very good idea (and rather obvious). Good hosting companies won’t allow simplistic passwords, but no matter what you do, you cannot stop people from being stupid about security.

Sadly, replacing the lock on the door when the window next to it is wide open doesn’t change anything. All of the XMLRPC hacks have been completely independent of any password requirements or security levels.

Whooami: I could go into it long and hard with you, but I have respect for the people who provide this forum. I congratulate you on writing a plug in that is in itself a potential DoS target, but hey, you know that already, right?

1+2+X=4. I don’t know X for sure, but I can make a strong guess.

My frustrations with this forum is known. I think it is horrible that WordPress puts up a forum, calls it “support” and then it turns out that it is mostly the somewhat less blind leading the totally blind. That isn’t support, that is just a community of like minded people and inflated egos. All I have ever asked you to do is leave my threads alone. I don’t go peeing on your threads (and some of them are so tempting… ) please don’t do it on mine.

Oh yeah, meanwhile, there is still a potential open hole in XMLRPC. But that isn’t as important as proving that you are superior, now is it Cherie?

As Ive already stated, you’re not going to stop me from posting anywhere…

and Im curious, what do you think you are gaining by calling me by my name? I make no secret of it — Its on my “about” page, and I refer to myself by name in my blog at least 5 or 6 times.

Youre not accomplishing anything, other than making yourself look really childish.

Shall I start calling you Alex, Alex?

—

Edit :

Oh yeah, meanwhile, there is still a potential open hole in XMLRPC. But that isn’t as important as proving that you are superior, now is it Cherie?

what does a potential hole have to do with what I do or dont do?

Dont answer, I dont expect you are able to.

So far, every personal accusation you have made against me, I have been able to prove wrong.

1. you immediately accused me of making personal attacks on you in this thread — but could provide no evidence when asked for it.

2. Youve accused me twice now, of telling you that you are wrong — I pointed out how off-base you were on that already. And of course, you leapt right over that.

When you actually have a conversation that doesnt rise and fall on your being able to make baseless statements — then and only then, will I be interested in any of your “answers”.

I prefer names to handles or nicknames… in the end I like to know who I am talking to, not someone hiding behind a name, which is why name nick is really just my name anyway. I also want you to understand that I am not making stuff up on the fly, I have gone to look at your stuff closely and understand where you are coming from. Do you understand that your logging plugin is a security risk?

I am not telling you to stop posting, I am asking nicely.

Do you understand that your logging plugin is a security risk?

Any plugin that creates content is a security risk — do YOU understand that?

is that the point of this thread? After all, you already said you wouldnt be using it.

Dont bother answering — Im sure you cant. Again.

My frustrations with this forum is known. I think it is horrible that WordPress puts up a forum, calls it “support” and then it turns out that it is mostly the somewhat less blind leading the totally blind.

Unbelievable. It’s free software offered under the GPL. What do you propose be done? Set up a phone bank somewhere? Have the devs chained to their computers answering asinine questions all day? Because there’s more of THOSE kind of questions being asked than legitimate pleas for help.

I am not telling you to stop posting, I am asking nicely.

What hubris.

@ joni

some people seem to live by that “the loudest chick gets the worm” credo. You would think, for someone so incredibly frustated and angry, and let’s not forget, unwilling to do much of anything, there would be other, “better” software out there that would be calling his name.

I hear the Joomla forums are looking for people.

OH, wait, thats had about 10 or so public exploits come out in the last month or so. Nevermind.

alex, I mean this in the nicest way — i know what kinda cash porn webmasters make — why are you not soliciting paid help from the devs? You do know that that is available?