This article is more than 1 year old

Comments considered harmful: WordPress web hijack bug revealed

Patch NOW after researcher drops zero-day on popular blog software

A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts.

The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments system.

The vulnerability is present in WordPress version 4.2 and below. Pynnönen revealed the flaw on his blog on Sunday before the WordPress team could release a patch for the software: the researcher feared WordPress would take too long to fix the hole, and wanted to warn everyone beforehand.

"I didn't report the bug to the vendor this time," Pynnönen told The Register in an email earlier today.

The security blunder is exploited by posting a 64KB comment to a WordPress blog page. This data is truncated as it is written to the database, breaking safety checks that are supposed to filter out malicious code when the comment is displayed to visitors.

This means an attacker to post a comment containing JavaScript that runs in the visitor's browser. If this comment is viewed by a site administrator reading the comments, the script will execute and can change the admin's password, create new admin accounts, deface the site, upload dodgy material, and so on. The code can hijack the accounts of normal users visiting the page, too.

Youtube Video

The flaw is similar to that discovered by researcher Cedric Van Bockhaven, which WordPress finally got around to patching last week. Bockhaven found that certain invalid characters in comments would allow malicious JS code to slip through and execute in visitors' browsers. This new bug relies of excessively long comments rather than invalid characters to break the filtering.

"[WordPress] took 14 months to produce the code to detect invalid characters in comments," Pynnönen told us, explaining why he revealed his XSS bug before a patch was available.

"During this time all WordPress servers using default comment settings have been quite easily 'hackable'. Now it turns out they still didn't get it right.

"Communication with WordPress developers has been difficult. During the past months I've been trying to find out what they are doing about my previous (yet unreleased) bug. I haven't got any communication from them since November despite trying to ask them directly, via HackerOne staff, and even with help from our national authority (CERT-FI).

"They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable."

To fix the security hole, admins should upgrade to WordPress 4.2.1, which was released in the past few minutes. "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," the team said of the latest version. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like