Thu Sep 11 13:13:55 CEST 2008

cat ./. bag

Well, it took quite some time, but a rather early version of the PoC exploit to the flaw in wordpress has obviously found its way to the usual distribution sites very recently.
It would have been nice if this had happened a liiittle bit later as there still are lots of vulnerable blogs out there. But on the plus side the published version luckily has sort of skiddie-protection, as far as the rainbow table creation part is at least not included in code and there are a couple of bugs which should in some cases prohibit successful exploitation w/o some minor changes to the code.
I might think about publishing a working version in the future, but that will have to wait until there are fewer active 2.6.1-sites out there.

By the way, the code used to be a shellscript with only the genseed() and wp_generate_password() written in php, which was afterwards quickly transformed into a php script as a whole (since there was no way of avoiding php completely anyway), so that's why it actually looks like a shellscript written in php - and why there remained some somehow strange looking lines like $MBOX="wp".`ps|md5sum|head -c 8`; :)

Oh, and this is probably a good time to explain that in case you somehow do not want to update your blog software or cannot do so you should at least deactivate the option to let users register on the blog to protect against this vulnerability! That's required for versions <2.6.1 just as well - the PoC btw should also work w/ 2.6 and with some minor changes with even older version.

Posted by iso | Permanent Link | Tags: php, security, news, hpa | comments >>