Vote 2

WordPress Wins Pwnie Award for Mass 0wnage (For Many Many Security Vulnerabilities)

Angsuman Chakraborty

August 7th, 2008

WordPress wins the dubious distinction of Mass 0wnage Pwnie Award for an unbelievable number of WordPress vulnerabilities, over 140 as of today.

It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.

WordPress is known for quick releases but also for quicker updates after a major release which almost always consists of some disclosed and some undisclosed security vulnerabilities. WordPress disproves the open source software security theory based on "many eyeballs" which assumes that given enough people who review the code, almost any weakness of the software will be found and fixed. WordPress is open source and yet it is infested with security vulnerabilities.

The "security by obscurity" approach to security adopted by WordPress developers isn't really working. Will Matt & his merry team finally wake up and do a security audit?

Filed under Computer Security, Headline News, Pro Blogging, Web, Web 2.0, WordPress, WordPress Plugin | Tags: Application Security, Open Source, security audit, Security Vulnerability, Software Security, WordPress, WordPress Plugin | Comment on this Article 9 Comments | Email this Article

Pro Blogging News

Application Security News

Java Application Security Through Static Analysis

Serious Security Vulnerabilities of WordPress 1.5.1.2 and below

July 5th, 2005 WordPress is a very popular personal publishing platform aka blogging platform (with a primitive CMS) in use all over the web. There are a number of serious security vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system.

Is PHP Secure?

July 8th, 2005 After recent reports of several critical security vulnerabilities of PHP based software. I decided to take a closer look at the current state of security with PHP based products.

Wordpress Plugin - Angsuman's Wordpress Guard Plugin - Add A Second Layer of Security to Your Wordpress

November 13th, 2008 We are very happy to announce the much-awaited release of Angsuman's Wordpress Guard Plugin. It is a must-have Wordpress security plugin (compatible with all versions of Wordpress and tested upto version 2.6.3) that protects the vulnerable areas of your blog from outside access with an additional layer of security.

Ubuntu Releases Thunderbird Patch for Highly Critical Vulnerabilities

May 3rd, 2006 The security vulnerabilities addressed are: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information and Denial of Service. Ubuntu has issued an update for thunderbird.

WordPress 2.5 Due in 22 Years!

March 27th, 2008 WordPress Trac says: Milestone 2.5 Due in 22 years (04/01/30). Read on for more details.

WordPress 2.0.4 Security Update Released

July 31st, 2006 WordPress 2.0.4 is available for download. This release contains several important security fixes, so it’s recommended upgrade for all users.

WordPress 2.0.2 - Time To Upgrade?

March 10th, 2006 WordPress released yet another security release 2.0.2 fixing (yet again) unannounced XSS security bugs. I have not upgraded any of my blogs to 2.x release.

Critical WordPress Security Defect Found and Fixed in 2.0.7

January 11th, 2007 While WordPress 2.0.6 is still hot a serious security defect (SQL injection attack) was found and fixed in WordPress 2.0.7, which is currently available as RC1 (release candidate 1). The key defects fixed are: Security defect Worked around a PHP bug for PHP 4.x less than 4.4.3 and PHP 5.x less than 5.1.4 with register_globals ON that could potentially lead to SQL injection and other security breaches.

WordPress 2.0.3 Released

June 1st, 2006 The new features / fixes are: Small performance enhancements Movable Type / Typepad importer fix Enclosure (podcasting) fix Bugtraq reported issue & backporting of security enhancements from 2.1 (nonces) Misc. fixes etc....

Congratulations WordPress Plugin Contest Winners & Translator Pro Winner

August 26th, 2007 The WordPress plugin contest results were just announced by Mark Ghosh. We sponsored a copy of Translator Pro 5.0 plugin for the competition.

Pligg (Digg Clone) Releases Security Update 9.9.5

July 31st, 2008 Pligg is a popular Digg clone. This week has been a stressful week for many Pliggers due to a security vulnerability discovered and exploited by a few hackers.

Serious Security Vulnerabilities in Outpost Firewall Pro & Lavasoft Personal Firewall

July 18th, 2006 Bipin Gautam has reported a vulnerability in Outpost Firewall Pro, which can be exploited by local users to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error in the Virtual Firewall driver (filtnt.sys) and can be exploited to crash the system by e.g.

Security: How Internet Explorer 6 Fares Against Mozilla Firefox?

August 28th, 2006 I think few graphs will clearly illustrate the gulf of difference between these two leading browsers (Internet Explorer 6.x & Firefox 1.x) in terms of security. Let's start with our favorite whipping boy,market leader Internet Explorer 6.x, shall we? Internet Explorer 6.x Security Advisories Source: Secunia Firefox 1.x Security Advisories Source: Secunia Now let's look at their criticality.

Microsoft Releases Patch To Fix ActiveX, Media File Flaws And More

August 12th, 2009 Microsoft has released nine patches to fix 19 security vulnerabilities affecting multiple Windows systems. The patches would address multiple critical ActiveX and Windows Media File loop holes that could invite hackers malicious attacks.

How to Backup & Restore MySQL Database

May 13th, 2005 Note: My WordPress database name is wordpress. I will use it in the example below.

Mark R Says:
August 10th, 2008 at 6:25 pm

Hi, do you have any reference for this news (WordPress winning)?

I think the mass ownage pwnie award went to WMF. Was WordPress even a nominee?

Angsuman Chakraborty Says:
August 11th, 2008 at 8:08 pm

“Mass 0wnage went to Wordpress for many many vulnerabilities.”
- Source

Angsuman Chakraborty Says:
August 12th, 2008 at 12:18 am

@Mark see my comment above for the source (pointed to by Matt Cutts in his tweet).

Abel Cheung Says:
August 21st, 2008 at 4:19 pm

Security audit? No. Never. Any sane person following wp-hackers development close enough would NOT even believe such thing will happen. The only thing ever related is just some repeated murmuring of it and angry complaints more than 2 years ago. Nothing more.

Angsuman Chakraborty Says:
August 21st, 2008 at 9:23 pm

Well said. I wonder why? Isn’t it time WordPress developers realized their inadequacy in providing robust security to WordPress?

Ryan Boren Says:
August 25th, 2008 at 4:57 pm

Most vulnerabilities are found internally by the WordPress community, especially Alexander Concha. WordPress.com has been audited at the request of some of the VIPs hosted there. WP has been audited by some security groups looking for publicity. It has been audited by students as part of their studies. It has been audited quite a lot. There is nothing obscure about our security, that’s a big reason why you actually know what our security problems are.

Many CVEs are for plugins, are duplicates, or are invalid. Of the CVEs issued for 2008, only a few are valid and applicable to core WordPress. We’ve certainly had too many security problems, but nowhere near as many as the CVE list implies.

WP’s popularity means a lot of CVEs and debate about our security are generated, even for practices that other blogging and CMS platforms continue to use. Others store md5 hashed or even plain text passwords while we use salted and stretched password hashes that defy rainbow tables. We use a well-researched, thoroughly audited cookie protocol. We sign cookies with a key stored in the DB and another defined in PHP so that a compromised DB or a misconfigured http server won’t compromise cookie signing. We don’t deliver auth cookies outside of the admin. We’re eliminating use of mt_rand() in favor of something more random. We’re ahead of the game in these areas. Of course, when one of the thousands of WP plugins is compromised and sites get owned, our name is mud regardless. That’s why we introduced automatic plugin upgrades, and are planning to do both automatic and manual security audits of plugins hosted at /extend/plugins/.

Angsuman Chakraborty Says:
August 26th, 2008 at 5:25 am

> There is nothing obscure about our security, that’s a big reason why you actually know what our security problems are.

I actually can point out many times when an update was released for security reasons but without disclosing the actual vulnerability, I had blogged about it in the past too.

> when one of the thousands of WP plugins is compromised and sites get owned, our name is mud regardless

One solution could be to run the plugins in a sandbox. More on it later.

> That’s why we introduced automatic plugin upgrades, and are planning to do both automatic and manual security audits of plugins hosted at /extend/plugins/

Last I checked /extend/plugins is only for GOL’ed plugins. What about plugins which are not GPL or aren’t free? Why not extend the security audit facility to any plugin developer?

However I think in the long run using a sandbox model will improve security.

I understand your concern about plugins. Such problems would have been very easy to address in language like Java which allows for security restrictions in external code through security manager and other means. Unfortunately in PHP it is harder to implement.

However you still cannot shift the focus solely to plugin developers. WordPress (core) over the years had too many serious security vulnerabilities and while they somewhat decreased with the maturity of the product, it is still alarming.

You mention several formal security audits on WordPress, if I understand you correctly. Can you please point me to any available documents which provides more details like scope of the audit and their verdict? I still see some issues when I delve into the code.

BTW: The biggest architectural issue I see with WP plugins framework is that a plugin author can easily introduce trojans (or worse) in sites using them.

WordPress Wins Pwnie Award for Mass 0wnage (For Many Many Security Vulnerabilities) Says:
December 20th, 2008 at 3:29 pm

[...] an article on Wordpress that may be of interest to many of you guys who use it. The link is here: WordPress Wins Pwnie Award for Mass 0wnage (For Many Many Security Vulnerabilities) According to the article, it seems there is a truckload of security issues with Wordpress… [...]

Simple solutions for complex problems.

WordPress Wins Pwnie Award for Mass 0wnage (For Many Many Security Vulnerabilities)

Pro Blogging News

Application Security News

Topics (map)

Taragana Network

Blog Stats

Translate

Poll

Latest Tweets

Pro Blogging

WordPress

Latest Friend Feeds

WordPress Plugin

security audit