oss-sec mailing list archives
Re: WordPress (all versions): SPOF, RCE, and Negligence
From: Ben Tasker <ben () bentasker co uk>
Date: Mon, 21 Nov 2016 17:32:32 +0000
Up the minimum PHP version to at least 5.6.0.
I assume you're talking about the PHP versions that Wordpress supports (as opposed to on their update server?). Such sweeping version checks do not work well with Stable distributions. Given that most web hosts use stable distros, implementing such a requirement would lock Wordpress out of a substantial proportion of their target market: CentOS 6 will continue to be supported until Q2 2017, with maintenance releases until 2020. The version in the repos is 5.3.3 with security backports Debian Wheezy 5.4.45 (again with security backports) and will be supported until 2018. An important question, of course, is whether the issues fixed in PHP 5.6.0 were correctly marked as security fixes (and as a result backported by the distro maintainers) There was a similar issue a while back where Joomla! decided to run a version check to ensure PHP version was >= 5.3.10. It broke a number of sites, and the most common fix seems to have been a core-hack to disable that check. The logic for inserting that check was reasonable, but lacked consideration of who the market actually is. The alternative is that hosters move onto more bleeding edge distro's, and I'm not convinced that's good in the long term. On Mon, Nov 21, 2016 at 4:54 PM, Scott Arciszewski <scott () paragonie com> wrote:
This is the function that fetches downloads from the WordPress update servers: https://github.com/WordPress/WordPress/blob/ f5b6731777bbd1dfe290867d2240a2a68e2f0cf1/wp-admin/includes/ class-wp-upgrader.php#L252-L283 The only verification it offers is an MD5 checksum, which is sent by the server that also serves the file: https://github.com/WordPress/WordPress/blob/eeefec932f3d4f3b50369f6523c2cd 8fad3d467f/wp-admin/includes/file.php#L482-L525 At no point lower in the automatic update process is a cryptographic signature verified. The update server is trusted explicitly and implicitly by every WordPress website online. WordPress powers an estimated 26% of websites on the Internet. Consequently, the WordPress update server is one of the largest single points of failure (SPOF) on the Internet. If you manage to hack their infrastructure, you can push a false update to millions of WordPress blogs and get reliable remote code execution everywhere. They are aware of this issue, and have been for years: https://core.trac.wordpress.org/ticket/25052 Additionally, PHP before 5.6.0 had terrible SSL/TLS support. It may also be possible to get targeted RCE out of a MitM condition due to their stubborn insistence on supporting PHP 5.2.4. I need to do more research here. The WordPress culture, for those who are not aware, prioritizes higher adoption rates over better security. They see backwards compatibility as a usability problem more than a liability. The WordPress team also promotes the use of the misnomer "responsible disclosure" over the more accurate "coordinated disclosure", and refuse to entertain suggestions to improve their vernacular. In short, WordPress is semi-toxic towards improving their own security-- mostly out of negligence and stubbornness rather than outright hostility (see: OpenCart). I don't believe there's much chance of fixing this, due to political problems rather than technological problems. The first step towards a reliable solution would look like this: 1. Up the minimum PHP version to at least 5.6.0. 2. Use openssl_sign() and openssl_verify() with an RSA keypair maintained by their team. A total solution would incorporate all of the elements listed here for both core updates and theme/plugin updates: https://paragonie.com/blog/2016/10/guide-automatic- security-updates-for-php-developers#elements-automatic-updates Should anyone wish to endure the steep uphill battle to try to get WordPress to fix this problem _before_ we see headlines titled "WormPress: How your blog was hacked" in the news, godspeed. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
-- Ben Tasker https://www.bentasker.co.uk
Current thread:
- WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Michael Babker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Solar Designer (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Michael Babker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Hanno Böck (Nov 22)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 22)