WordPress can be remotely upgraded by non-authenticated user ?

I don’t think upgrade.php exists until you replace the entire wp-admin directory with whatever the latest version is. Running upgrade.php just takes care of background stuff to upgrade to the latest version. I don’t think it accesses anything remotely, and once the site is upgraded, it can’t be run again. I’m guessing that’s why it’s considered low risk.

Are there any details available from wordpress about why it was considered low risk and any further infomation surrounding this issue?

The upgrade.php should have a check in there for user/role but at a guess, it’s low risk because it’s benign. If the DB upgrade was done already then nothing happens. If it fails, then there are probably bigger problems going on.

The second line in that advisory’s example

https://www.victim.com/wp-admin/upgrade.php?step=1&backto=https://www.The-attacker.org

did not work for me on my 2.7 or 2.6.5 blogs. They just replied with “No Upgrade required” and took me to the blog when I clicked “Continue”.

From the badly worded description (spelling errors are not mine)

If the WordPress is not the last version, anybody can upgrades the aplication using wp-admin/upgrade.php

Which makes me think that this advisory is not a problem for current versions. This is contradicted later on when it says “All versions of wordpress are affected”.

Like I said, badly worded.

If it fails, you’ve got a Denial of Service attack!

The reason the upgrade is not working at the moment is there is no version to upgrade to, but yes, it seems no credentials are required to force an upgrade.

If you can poison dns (send the wordpress downloader where you want) it seems a easy attack vector.

If it fails, you’ve got a Denial of Service attack!

NO. Stop, take a deep breath. That’s just not how it works. Re-read that badly worded advisory. Try the examples.

DoS is background noise; you bring down some sites with just ab2 and the advisory says nothing about any DoS. Anyone with a shell script can hit a single web server with more requests than it can handle.

If someone can poison DNS with bogus entries, why would they waste time pointing to YOUR blog/wp-admin/upgrade.php…?

You can’t poison DNS that way and the redirect did not work if you are upgraded, you are thinking of a cross site scripting issue.

The XSS portion did not work when I tried the examples in that advisory on 2.6.5 and 2.7.

If you have an example that works, you can post it here or send it to [email protected] and inform the developers.

Er.. lets suppose your blog is for a company, and being able to gain control of such a blog (and post to it) is valuable: Suppose customers/readers of the blog could be encouraged to disclose information by following phishing links in a post that they might instinctively trust?

The point is if you could poison the hosts dns, you could redirect www.ads-software.com’s A records to a website indicating ‘upgrade needed’ and then force the download of your exploited code because anyone can force a wordpress install to upgrade.

Are there checks in place to mitigate this vector? Does the upgrade come over, e.g, www.ads-software.com’s SSL cert?

Zonknz,

And suppose someone is looking over your shoulder while you type your user ID and password? Or someone obtains your customer’s data from an unsecured backup? Or men in black hats compromise your system? Or uses a tri-vector amalgamation and a confluence of end user lack of preparedness and old patches?

It’s a problem of arbitrary complexity alright.

(Yes, I’m messing with you, in good humor on half a cup of coffee.)

This is all very interesting but pointless speculation since you have not yet read the advisory and/or come up with examples of how to use it. You are just speculating and mixing up security terms.

Which is all fine; but if you want to talk about this advisory please stay focused on what it supposedly addresses. If you want to go off into never neverland, well, indulge and have fun speculating about “what if”s.

When you can demonstrate something real and tangible regarding this advisory great. See my reply above this one for the e-mail to send it to. If you want to play “what if” then, sorry but you don’t know what you are talking about.

Moving on before this or I get mod-zapped…