WMF Windows image Exploit

  • IF your WP files are writable AND you are on a shared server (as most of us are) then there is a risk that a file of yours could be linked to a site that, when your files load, tried to get you to download a WMF file.

    This is NOT a WP exploit or weakness.

    The link is also one that you really must not click.

    This happens because of the shared hosting environment and some idiot running a script that writes this junk into your files.
    If this happens on your blog you need to check your files for links that you did not place there. Typical places to look would be theme files though any file that is writable could be a problem.
    Also tell your webhost.

    As detailed:
    https://news.bbc.co.uk/1/hi/technology/4566504.stm

Viewing 3 replies - 16 through 18 (of 18 total)

  • There’s always another way. Other than the “easiest” way….

    well, not to kick a down horse but honestly, I remember about 6 or so monthes ago submitting a bug report on path disclosures in the admin area, admin-footer.php, I believe (or something similar). The responses to my report were tepid at best, and given how thats the first bit of info anyone thats poking around your server is looking for, I was, at the time, surprised.

    I notice, now, that in the last couple days there is post here, somewhere, pointing out the same problem, and its not just one file, it’s a few.

    Am I surprised, now? not really, unfortunately,

    Thread Starter Mark (podz)

    (@podz)

    I’ve had a conversation in #wordpress just now after reading some more.

    On my host, default files are
    Directory 755
    Files 644

    If I change files to 400 (which means apache can read the file only) the server flips the permissions to 600 immediately. With perms of 600, apache can write to the file.
    As I understand it, these kiddie scripts get apache to write to the files, so if apache has write access, my files can get compromised.
    Apparently, this has less to do with the software than it does the way hosts set up their server environments. This exploit can affect any file anywhere – and it’s just that phpBB, WordPress and other software is so widely used that they are the ones that are nailed each time. (I would hazard a guess that having common filenames is also an element ?).

    So from what I can gather, this WMF exploit does not look for WP files and find a security hole – it runs through a server that a host has set up lazily and cheaply. And hosts are hardly likely to hold their hands up to being cheapskates are they.

    What does not help is that many hosts do not allow files to be 644 – they require files to be much higher in order for them to be used normally. Although this does not affect this expolit and is another issue, I think this is an area where hosts should be explored to find out what’s what – after all, if 644 can be bad enough, 666 just makes it worse (and again, not exclusive to WP).

    (And I know this isn’t addressing the /wp-content issue !)

Viewing 3 replies - 16 through 18 (of 18 total)
  • The topic ‘WMF Windows image Exploit’ is closed to new replies.