Secutity Patch without Upgrade..?

  • We ran couple of blogs on WP 2.7.1. Right now we are afraid to upgrade anything, ’cause last time we did – upto 2.8, we got a broken websites. We know it’s not WP fault, but of some poorly written plugins we use. But to our total disappointment we can’t replace them right now. There are to many of them, and we are not sure which one does cause problems.

    However we are concerned about security, after that last hole was found. Probably the fix, is just one or two patched files, isn’t it? Can’t we just replace faulty files in our 2.7.1 installation and have it secured? We do not need all other nifty features of WP 2.8.* right now.

    So can we?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    But to our total disappointment we can’t replace them right now. There are to many of them, and we are not sure which one does cause problems.

    Unless someone or group takes up maintaining 2.7.x, your out of luck. As you already are aware, running an old version is asking for trouble.

    If you’re not careful, your total disappointment is going to turn into a total nightmare if (when) you get compromised.

    Thread Starter ArbuZz

    (@arbuzz)

    Yeah, very sad…

    Does anyone know what files were patched? I’m pretty sure the whole fix is just several additional lines maybe. Anyone?

    Just out of curiosity, I looked at a dif between the latest 2.7 and the latest 2.8….319 files with differences. Keep in mind that a lot of functionality has been changed between those versions…theme uploading being one. So, I’m sure most of this is due to bug fixes and new functionality. Not sure how you would determine which are due to security issues.

    It may be worth it to try the upgrade again, maybe on a local copy of your site and see if you can fix the plugin compatibility issues.

    Thread Starter ArbuZz

    (@arbuzz)

    319 files… ouch.

    Although I think doing diff between 2.8.3 and 2.8.4 should reveal that security change. Hm… that’s an idea by the way. Thank you. Is there a quick way to make that?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Not likely. With 2.8.3 to 2.8.4 there were three files updated:

    $ svn diff --old=https://core.svn.www.ads-software.com/tags/2.8.3 --new=https://core.svn.www.ads-software.com/tags/2.8.4 | grep ^Index
Index: wp-login.php
Index: wp-includes/version.php
Index: readme.html
$

    Discarding readme.html and version.php, that leaves wp-login.php. The vulnerability did not live there (I have not found or looked for a good description of where it lives) so this info doesn’t really help your situation.

    If you just look at wp-login.php (for 2.8.3 -> 2.8.4) then the diff does not really help you.

    $ svn diff --old=https://core.svn.www.ads-software.com/tags/2.8.3 --new=https://core.svn.www.ads-software.com/tags/2.8.4 wp-login.php
Index: wp-login.php
===================================================================
--- wp-login.php        (.../2.8.3/wp-login.php)        (revision 11902)
+++ wp-login.php        (.../2.8.4/wp-login.php)        (revision 11902)
@@ -161,7 +161,7 @@
        $message .= get_option('siteurl') . "\r\n\r\n";
        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
        $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
-       $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
+       $message .= site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n";

        $title = sprintf(__('[%s] Password Reset'), get_option('blogname'));

@@ -182,15 +182,18 @@
  * @param string $key Hash to validate sending user's password
  * @return bool|WP_Error
  */
-function reset_password($key) {
+function reset_password($key, $login) {
        global $wpdb;

        $key = preg_replace('/[^a-z0-9]/i', '', $key);

-       if ( empty( $key ) )
+       if ( empty( $key ) || !is_string( $key ) )
                return new WP_Error('invalid_key', __('Invalid key'));

-       $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
+       if ( empty($login) || !is_string($login) )
+               return new WP_Error('invalid_key', __('Invalid key'));
+
+       $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s AND user_login = %s", $key, $login));
        if ( empty( $user ) )
                return new WP_Error('invalid_key', __('Invalid key'));

@@ -370,7 +373,7 @@

 case 'resetpass' :
 case 'rp' :
-       $errors = reset_password($_GET['key']);
+       $errors = reset_password($_GET['key'], $_GET['login']);

        if ( ! is_wp_error($errors) ) {
                wp_redirect('wp-login.php?checkemail=newpass');
$
    Thread Starter ArbuZz

    (@arbuzz)

    Wow,

    I guess that’s exactly what was patched. Having that narrowed to wp-login.php, I’ve found this:


    https://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137.html

    Thank you very much!

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    . . . *THUNK* . . . *CRASH* . . . *CAT NOISES* . . .

    NO. SORRY, BUT YOU ARE DOING IT ALL WRONG AND SETTING YOURSELF UP FOR A COMPROMISED BLOG.

    The point I was trying to make was that that was not the permalink exploit. The 2.8.3 -> 2.8.4 patch covered the “Remote admin reset password” problem. I (foolishly!) showed you that diff to illustrate that.

    The problem of permalink link getting modified, people registering and getting escalated privileges, adding javascript to hide the user, getting into a position to add spammy links into your posts? Totally different problem with a totally different set of files.

    I have not seen a write up such as a CERT or proof of concept but my understanding was that this current bug was fixed prior to 2.8.4. The release of 2.8.4 has another fix in it so if you think this is the magic bullet, you’re really making a big mistake.

    Thread Starter ArbuZz

    (@arbuzz)

    Damn… as usual…

    Thank you for your time and concern though!

    Upgrading is not an option for us right now ?? It’s just not an option…

    I think “upgrade-or-die” approach is very bad, having in mind all the problems that 2.8 unexpectedly brought to regular users. Despite of all the goodies, this case can become a stumbling-block for wordpress ubiquity. Those multiple bugs (https://www.securityfocus.com/archive/1/506011) might be just a sign of bigger problems to come.

    I’m in a middle between regular user and developer, so I’ve heard number of different opinions about 2.8+. And they are not positive. One just can’t explain properly to website owner why a plugin that worked perfectly for ages, suddenly stopped working in 2.8 and has to be replaced with something else. Unexpectedly people around the world got stressful and frustrating hours and days, degrading their blogs. And now they got driven into painful situation, when upgrading is pain, and not upgrading is potentially even more pain.

    That’s just not right.

    Especially when the whole fix consists of just several lines in this or that file.

    I’ve found another “fix” fro another bug here:
    https://www.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Ftoscho.de%2F2009%2Fwordpress-2-8-3-das-doppelslash-problem%2F&sl=de&tl=en&history_state0=

    ??

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Secutity Patch without Upgrade..?’ is closed to new replies.