Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2014-07-25 12:55:43
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
WordPress woes
I’ve been getting a few extra spam emails recently and the dodgy links inside them seem to go to WordPress sites.
Then I read MAILPOET VULNERABILITY COMPROMISES THOUSANDS OF WORDPRESS SITES.
Not good.
Offline
#2 2014-07-26 01:04:41
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: WordPress woes
… and many of the links refer to Tiny MCE as well.
(oops, just realised this should’ve gone in “General Discussions”)
Offline
Re: WordPress woes
Offline
#4 2014-08-07 04:36:03
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: WordPress woes
Offline
Re: WordPress woes
I’ve just updated a bunch of client Wordpress sites because of this, with a bunch more to go. Today might be a long day.
Offline
Re: WordPress woes
gomedia wrote #282686:
Major Security Vulnerability in WordPress, Drupal Could Take Down Websites
Is TXP OK?
I’m going to email have emailed security [at] textpattern and asked for an official comment.
Last edited by gaekwad (2014-08-07 06:58:41)
Offline
Re: WordPress woes
Whether this can take down your server depends on how well you’ve configured it.
While testing this, it took down my test server (server load exceeding 30, RAM depleted. Fixed by limiting the number of processes per user), but not my production server (CPU load at 30%, plenty of RAM left). But I’m not sure if that’s because of a vulnerability or because it’s simply too many concurrent visits, because even without the harmful payload in the exploit example code, the effect is the same.
What I do know is that the changes in Wordpress 3.9.2 affect a file that is very very similar to the IXRClass.php file in TXP, so it would not surprise me if it was vulnerable. I haven’t found a reliable way to test this yet. Perhaps this requires a server that uses mod_php.
diff -r -u5 wordpress-3.9.1/wp-includes/class-IXR.php wordpress-3.9.2/wp-includes/class-IXR.php
--- wordpress-3.9.1/wp-includes/class-IXR.php 2014-03-15 06:01:14.000000000 +0100
+++ wordpress-3.9.2/wp-includes/class-IXR.php 2014-08-06 19:40:17.000000000 +0200
@@ -201,15 +201,41 @@
function parse()
{
// first remove the XML declaration
// merged from WP #10698 - this method avoids the RAM usage of preg_replace on very large messages
- $header = preg_replace( '/<\?xml.*?\?'.'>/', '', substr($this->message, 0, 100), 1);
- $this->message = substr_replace($this->message, $header, 0, 100);
- if (trim($this->message) == '') {
+ $header = preg_replace( '/<\?xml.*?\?'.'>/s', '', substr( $this->message, 0, 100 ), 1 );
+ $this->message = trim( substr_replace( $this->message, $header, 0, 100 ) );
+ if ( '' == $this->message ) {
return false;
}
+
+ // Then remove the DOCTYPE
+ $header = preg_replace( '/^<!DOCTYPE[^>]*+>/i', '', substr( $this->message, 0, 200 ), 1 );
+ $this->message = trim( substr_replace( $this->message, $header, 0, 200 ) );
+ if ( '' == $this->message ) {
+ return false;
+ }
+
+ // Check that the root tag is valid
+ $root_tag = substr( $this->message, 0, strcspn( substr( $this->message, 0, 20 ), "> \t\r\n" ) );
+ if ( '<!DOCTYPE' === strtoupper( $root_tag ) ) {
+ return false;
+ }
+ if ( ! in_array( $root_tag, array( '<methodCall', '<methodResponse', '<fault' ) ) ) {
+ return false;
+ }
+
+ // Bail if there are too many elements to parse
+ $element_limit = 30000;
+ if ( function_exists( 'apply_filters' ) ) {
+ $element_limit = apply_filters( 'xmlrpc_element_limit', $element_limit );
+ }
+ if ( $element_limit && 2 * $element_limit < substr_count( $this->message, '<' ) ) {
+ return false;
+ }
+
$this->_parser = xml_parser_create();
// Set XML parser to take the case of tags in to account
xml_parser_set_option($this->_parser, XML_OPTION_CASE_FOLDING, false);
// Set XML parser callback functions
xml_set_object($this->_parser, $this);Offline
Pages: 1