WordPress on my machines? Just say no.
Sucuri researcher David Dede has uncovered a critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to hijack websites. Dede, part of a consultancy renown for its prolific WordPress popping, found the Twenty Fifteen plugin installed on all WordPress sites is being actively …
Thursday 7th May 2015 12:19 GMT Phuq Witt
"My" Being the Operative Word
"...WordPress on my machines? Just say no...."
"my" being the operative word. I don't use WordPress for any of my personal sites. But when a complete 'non-techie' client asks you to build them a website on which they can C/R/U/D content, there really isn't anything more user friendly out there.
[Much though I shudder, every time I have to wade through the tangled PHP jungle of its codebase.]
Thursday 7th May 2015 08:50 GMT Mage
Thursday 7th May 2015 12:35 GMT Anonymous Coward
Looks like an update has removed that file now - several hosted sites here had the file yesterday (i.e. is in the backup) but is not present now.
Thursday 7th May 2015 14:13 GMT SImon Hobson
I'm not a programmer, and I haven't looked at the code involved ...
Such things are often obvious when looked at "from the outside" or with a fresh pair of eyes. A few times I've come back later (could be days, could be years) to look at some script I knocked up - and found myself wondering why on earth I did it that way :-/ Not just scripts on the computer - many a time I've either been stuck for how to do something and only thought of the way when I've given up for a cup of tea; or found a way and wondered the next day why I made it so hard.
And if you do any writing, always get someone else (ideally who isn't connected with it) to proof read it. You can read through it many times yourself - and another proof reader will find some "how did I miss that !" typos. That's just the way the human brain works.
Thursday 7th May 2015 15:16 GMT Anonymous Coward
Yeah, this is easy to overlook - just a bit of JS in an HTML file. Only problem is, it's using unsanitized input from window.location.hash, and it's found in predictable locations on target sites. The hardest part of exploiting it is tricking an admin into clicking a crafted URL.
The WTFs are that the offending JS was newly added window dressing (it's not in the twentyfourteen theme's example.html) and that something so innocuous is enough to own WP or any CMS.
Nuke icon because WWW doomsday is coming...
Friday 8th May 2015 13:39 GMT Phuq Witt
Shome Mishtake, Shirley?
"...Dede ... found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked..."
Eh? –TwentyFifteen is one of the default themes that ship with WordPress. Not a plugin. And, if my reading of your reading of the situation is right, the vulnerability is with Genericons [which is an open-source 'icon font' which can be included in any theme, or any website] –not a vulnerability with WordPress, per se.
Anyway, must dash now. I've recently built a WordPress theme which uses the Genericons font. So I better check I didn't leave the 'default.html' file in there!