And men do not know: protection in Wordpress 2.4, holes and update in 2.3 and syntax highlighting
While great posts and other programs are being written, I will make a small overview of what you should know, if not to everyone, then to the majority.
Although the engine itself is still ready for 30 percent, but pleasant innovations have already been announced, such as the use of secure cookies and a new encryption algorithm for stored passwords.
You can read about the secure cookie protocol in this .pdf (116Kb in English), in short, the new cookies look like this:
username | time of action | HMAC (username | time of action | key)
And the key = HMAC (user name | time of action | secret key), in both!
The new protocol implements such features as time management on the server side, mass rechecking of all cookies, as well as increased confidentiality.
Passwords will now be hashed with the help of phpass , which adds the ability to add salt to the usual md5 hashing ( salt is a certain set of characters; usually they are characters of both registers, numbers and special characters that are superimposed or glued together with the password itself or the hash - the sum of the password ) and even stretch the short password. All together, this greatly increases the complexity of hacking by iterating over the hashes.
Just do not forget that phpass will also be used in Drupal and phpBB, which means that there is a possibility that you can use the same registration data within the site for each user, and without additional perversions.
In principle, the code responsible for cookies and encryption with phpass can already be downloaded and tested, just don’t do it on an active blog, because the user table will be hopelessly corrupted, and even if you have not done backup yet ...
')
1. It is possible, when performing certain actions, to access the Drafts created by other users, including the administrator. So try not to keep confidential information in the drafts. So far, there is a hole in 2.3.1 and most likely in all previous versions. We are waiting with a bugfix with an update.
2. The hole in the plugin Wp-ContactForm , with which the attacker can inject HTML code and get the data sent. There is no bug fix, but the plugin itself is old, so I advise you to simply change it to Cforms II , especially since you can download the Russian version from Soniki .
3. Vulnerability found guys from Seo Egghead . It consists in the ability to embed links in old posts, and, usually, it looks like it should be, except that PR will naturally decrease. All versions from 2.1 to 2.3.1 inclusive are subject to such a “hack”.
Egghead guys advise you to search the blog for such words as: mp3, download, adshelper, softicana, casino, viagra and the like (not for me to tell you what they usually spam)))
After switching to 2.3.1, some users got a bad glitch, or rather an error:
"Warning: Invalid argument for foreach () in /home/wallis3/public_html/wordpress/wp-includes/classes.php on line 92"
It is quite simple, but not obvious at the same time: you must first reset permalinks to those that are installed by default (Settings> Permanent links> Default> "Refresh link templates"), after which you can return your old templates and update again - a glitch should disappear.
Perhaps the usefulness of this note is questionable, because WordPress.com is not very popular with us (not to be confused with the free blogging platform WordPress ), it doesn't use it much more often, use BlogSpot / Blogger or , but it was not.
If you run a blog on WordPress.com, then for a beautiful markup of the source code, you have a build implementation. It works like this
where language is a choice: cpp, csharp, css, delphi, java, jscript, php, python, ruby, sql, vb, xml.
It is based on SyntaxHighlighter , our compatriot (as I understood it), Alex Gorbachev.
It turns out that among the WordPress markup tags there is such a miracle as trackback_rdf , which injects the code that is not visible to the user, used by some programs and search bots, to determine the trackback address. The tag itself should be placed inside the Loop and be hidden in the html comment so as not to be seen by the reader. It looks like this:
Well, that's all for today. See you later. And take care of yourself and your blog.
- The original of the article “But the men do not know: protection in Wordpress 2.4, holes and update in 2.3 and syntax highlighting”
Improved security in WordPress 2.4
Although the engine itself is still ready for 30 percent, but pleasant innovations have already been announced, such as the use of secure cookies and a new encryption algorithm for stored passwords.
You can read about the secure cookie protocol in this .pdf (116Kb in English), in short, the new cookies look like this:
username | time of action | HMAC (username | time of action | key)
And the key = HMAC (user name | time of action | secret key), in both!
The new protocol implements such features as time management on the server side, mass rechecking of all cookies, as well as increased confidentiality.
Passwords will now be hashed with the help of phpass , which adds the ability to add salt to the usual md5 hashing ( salt is a certain set of characters; usually they are characters of both registers, numbers and special characters that are superimposed or glued together with the password itself or the hash - the sum of the password ) and even stretch the short password. All together, this greatly increases the complexity of hacking by iterating over the hashes.
Just do not forget that phpass will also be used in Drupal and phpBB, which means that there is a possibility that you can use the same registration data within the site for each user, and without additional perversions.
In principle, the code responsible for cookies and encryption with phpass can already be downloaded and tested, just don’t do it on an active blog, because the user table will be hopelessly corrupted, and even if you have not done backup yet ...
')
Some active holes in WordPress 2.3.x
1. It is possible, when performing certain actions, to access the Drafts created by other users, including the administrator. So try not to keep confidential information in the drafts. So far, there is a hole in 2.3.1 and most likely in all previous versions. We are waiting with a bugfix with an update.
2. The hole in the plugin Wp-ContactForm , with which the attacker can inject HTML code and get the data sent. There is no bug fix, but the plugin itself is old, so I advise you to simply change it to Cforms II , especially since you can download the Russian version from Soniki .
3. Vulnerability found guys from Seo Egghead . It consists in the ability to embed links in old posts, and, usually, it looks like it should be, except that PR will naturally decrease. All versions from 2.1 to 2.3.1 inclusive are subject to such a “hack”.
Egghead guys advise you to search the blog for such words as: mp3, download, adshelper, softicana, casino, viagra and the like (not for me to tell you what they usually spam)))
Update permalinks correctly
After switching to 2.3.1, some users got a bad glitch, or rather an error:
"Warning: Invalid argument for foreach () in /home/wallis3/public_html/wordpress/wp-includes/classes.php on line 92"
It is quite simple, but not obvious at the same time: you must first reset permalinks to those that are installed by default (Settings> Permanent links> Default> "Refresh link templates"), after which you can return your old templates and update again - a glitch should disappear.
Markup code on bloghosting WordPress.com
Perhaps the usefulness of this note is questionable, because WordPress.com is not very popular with us (not to be confused with the free blogging platform WordPress ), it doesn't use it much more often, use BlogSpot / Blogger or , but it was not.
If you run a blog on WordPress.com, then for a beautiful markup of the source code, you have a build implementation. It works like this
[sourcecode language = 'language']
line code 1
...
line code n
[/ sourcecode]
where language is a choice: cpp, csharp, css, delphi, java, jscript, php, python, ruby, sql, vb, xml.
It is based on SyntaxHighlighter , our compatriot (as I understood it), Alex Gorbachev.
Help find trackback
It turns out that among the WordPress markup tags there is such a miracle as trackback_rdf , which injects the code that is not visible to the user, used by some programs and search bots, to determine the trackback address. The tag itself should be placed inside the Loop and be hidden in the html comment so as not to be seen by the reader. It looks like this:
<! -
<? php trackback_rdf (); ?>
->
Well, that's all for today. See you later. And take care of yourself and your blog.
- The original of the article “But the men do not know: protection in Wordpress 2.4, holes and update in 2.3 and syntax highlighting”
Source: https://habr.com/ru/post/18067/
All Articles