WordPress - irresponsible silent tarball update

Wednesday, August 17. 2005

It turns out, that the WordPress developers are not only slow in dealing with security holes, but totally irresponsible. It has come to my attention, that after I had disclosed to them, the obvious flaws in their security fix, they have silently replaced the release tarball of WordPress 1.5.2 with a fixed version at an unknown point in time during the last 2 days.

This means everyone who upgraded within the first day is most probably still vulnerable to the exploit. It is hard to guess how many people are affected, because the change of the tarball was performed without any notification of me or their users.

Update: from looking into the tarball timestamps, there is atleast a 9 hour time windows between both tarballs.

Please check if you have the most current version, by downloading
again and comparing the MD5 hash. My vulnerable tarball had the
following MD5

1adeedf43851fef40dbe6e9565131fcc  wordpress-1.5.2.tar.gz

the exact difference between this and the fixed version can be found within wp-settings.php.

In the original tarball you will find the following piece of code, that is actually vulnerable to a GLOBALS unset vulnerability, that is f.e. triggered by adding GLOBALS=1 as first parameter. This will result in the GLOBALS array being unset before the offending variables are unset. It is obvious that this completely bypasses the whole protection.

<?php
// Turn register globals off
if ( ini_get('register_globals') ) {
$superglobals = array($_SERVER, $_ENV, $_FILES, $_COOKIE, $_POST, $_GET);
if ( isset($_SESSION) )
array_unshift($superglobals, $_SESSION);

foreach ( $superglobals as $superglobal )
foreach ( $superglobal as $global => $value )
if ( 'table_prefix' != $global )
unset( $GLOBALS[$global] );
}

?>

I have sent them the following code, that is now also part of the PHP manual and that is able to handle all known problems in other register globals deregistration code snipsets. This code is now within the replaced tarball.

<?php

// Turn register globals off

function unregister_GLOBALS() {

if ( !ini_get('register_globals') )

return;

if ( isset($_REQUEST['GLOBALS']) )

die('GLOBALS overwrite attempt detected');

// Variables that shouldn't be unset

$noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');

$input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());

foreach ( $input as $k => $v )

if ( !in_array($k, $noUnset) && isset($GLOBALS[$k]) )

unset($GLOBALS[$k]);

}

unregister_GLOBALS();

...

unset( $wp_filter, $cache_userdata, $cache_lastcommentmodified, $cache_lastpostdate, $cache_settings, $category_cache, $cache_categories );

I think it is not necessary to underline what I think about silently replacing tarballs to fix vulnerabilities, and not warning the own users, for marketing reasons. Luckily this is the world of open source and everyone has the choice to choose a developer team, that cares about the security of its users.

Posted by Stefan Esser in Security, PHP at 16:07

Comments (13)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Craig Hartel wrote (Link) ()

While the timing of the updates and such were not done in the best possible way, I would agree that communication is often an issue. I believe that your post is well-intentioned, Stefan, but when you state that the communication was not done in the interest of marketing, you are assuming you know the motives of the developers when it's likely that is not the case.

Kudos to you for not only identifying the security issue, but also for supplying a solution as well!

posted on Wednesday, August 17. 2005

#1.1 Stefan ()

What reason could a developer have to silently fix a tarball, other than to hide it?

What reason can a developer have, other than downplaying, to announce a new version, saying that it fixes security issues, but not saying how serious they were and that everyone should upgrade asap.

What reason can there be, that the WordPress developers claim in their forum, that the vulnerable tarball was only a very short time online, and that the release announcement was released after the fixed tarball. (While the timestamps of the tarball and of the blog posting that announced the new version clearly speak a different story).

And yes my words are sometimes very hard, but I simply get very angry, when a PHP application that was awarded for being the best communication tool, only a few weeks ago is endangering their users in such a way.

Oh yeah and before anyone believes, that I am a big WordPress hater and s9y lover. I have choosen s9y because I personally know the authors and while I dislike a lot of things in s9y, I see that they are very responsive when it comes to security issues. If you only look at the features, I cleary believe that WordPress is superior to s9y.

posted on Wednesday, August 17. 2005

#1.1.1 Mike Little wrote (Link) ()

Stefan,
as has been mentioned elsewhere, at the time the tarball was updated, the release *HAD NOT BEEN ANNOUNCED*!

I cannot speak for Matt's motivation in updating the tarball this way, but I'm quite sure it wasn't anything to do with marketing.

It is, unfortunately, typical developer action to spot a problem (or have one pointed out), and fix it in place. This isn't the first time there have been replacements of the release tarball with no indication -- though the last time was a simple non-security bug fix.

I agree that it is a bad thing to do. But the reason is poor release management not marketing or wishing to hide anything.

I understand that you get angry about these things, I do too, but your wording inflames people and detracts from your message. They become defensive and attack the messenger, and ignore the message. Which makes you want to shout the message louder. Things quickly degenerate into a slanging match and the original point is lost.

Try to remain more calm. You are doing an important job very well. Don't let your vital message get lost.

Mike

posted on Wednesday, August 17. 2005

#1.1.1.1 Stefan ()

Well I don't know how hard it is to see that the current tarball was build at 6:02 CET on 15th August. The original tarball has a timestamp of 21:06 CET on 14th August. 9 hours difference.

The Blog posting about WordPress 1.5.2 clearly carries a timestamp of 14th August 23:17 UTC. This is 4 hours and 45 minutes before the replacement tarball was build. Time enough for myriads of people to download it.

And well obviously I found the tarball before 14th August 23:16 CET, because that was the point in time when I emailed Matt about the holes. (6 hours and 44 minutes before the replacement) He asked someting around 2:xx CET which definitievly was after 23:17 UTC on the 14th and the next morning I had a mail from him, that was sent on the 15th at 5:57 CET, saying that he fixed it. This was obviously 5 minutes before the replacement tarball was build.

So if I am not a very good timetraveller someone is lieing here...

posted on Wednesday, August 17. 2005

#1.1.1.1.1 Mike Little wrote (Link) ()

Stefan,
You're info on the timestamps helps a lot, thanks, and has been coroborated elsewhere.

You are correct that the update does appear to be after the announcement -- but not 9 hours after (as I read your original argument to be saying).

Please bear in mind that everyone's defense of this issue stems from the following single message from Matt

> I can happily confirm that this is NOT an issue in 1.5.2, it was fixed
> as soon as he reported it which was after my initial build but before
> anyone had really downloaded it. If you were on IRC and grabbed it right
> away and have register globals on and don't have mod_security you may
> want to check to see if your wp-settings.php matches [2783].

So everything stems on Matt's interpretation of "as soon as". Your timings seem to show that to be over 4 hours.

Perhaps we should wait to hear a proper response from Matt, before calling anymore people liars.

Mike

posted on Wednesday, August 17. 2005

#1.2 terry chay wrote (Link) ()

Craig, while Stefan's language, as always, is not politic, he has an point, I think when you have enough coincidence of bad smells you have to say something is rotten in Denmark.

By what sort of reasonable story can security patches such as this be implemented quietly under the same version number and have such an inconsistent time discrepancy? I think Occam’s razor would reject them in favor of Stefan’s story.

(BTW, I use WordPress, not Serendipity. Like Stefan, I know many of the (former?) developers of s9y, but, unlike him, I think they've taken the wrong tack.)

posted on Wednesday, August 17. 2005

#2 Marc Abramowitz wrote (Link) ()

Stefan's language is a bit inflammatory, but I think that he has a valid point. It's not good development practice to silently rev something that is public without changing the version number. That's what the version number is for - to communicate changes so that people don't have to peek inside archives and do MD5's and such.

In the company where I work, we have tools for uploading packages to a central repository and those tools now disallow uploading a package and overwriting an already-existing version. This is because there were too many complaints from people about the chaos that this practice caused.

Occam's Razor would suggest to me that this was probably more likely the result of laziness than some kind of marketing conspiracy.

I would humbly suggest that the WordPress developers refrain from this practice for future issues. There is no shortage of version numbers and although it's a little bit of hassle to bump a version number for a minor change, it's the necessary thing to do when so many people depend on this software.

By the way, I say this as someone who got his blog hacked because he was slow to apply one of the 1.5 dot release security upgrades.