back to article Comments considered harmful: WordPress web hijack bug revealed

A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts. The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments …

  1. depicus
    Mushroom

    About time

    I feel his frustration. Probably not on the same scale but it's blinking annoying to report a security vulnerability and have it ignored. Security though silence is not security.

    1. Anonymous Coward
      Anonymous Coward

      Re: About time

      I'm not a huge fan of blunt force, though, but it appears to have worked as 4.2.1 just showed up on the sites that I get admin notices from. That's scare number 2 - last week there were plugin updates as well but those exposures were only announced after the fixes were in.

    2. Mark 65

      Re: About time

      Wordpress seems to be the Bloggers' variant of flash - full of holes and patched every week.

  2. Mark 85
    Pint

    Might be a good plan but....

    My sense is that doing what he did is a good plan and forces them to do something instead of hiding by some form of obscurity. But if he found it, others probably have also and probably not the good guys. The down side, sometimes those who release bugs before contacting the company are vilified and pretty badly also. Still... he deserves a cold one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Might be a good plan but....

      Indeed… I think something like Google's Project Zero is closer to the mark. Vendor is contacted, a period is given to come up with a fix, then the bug is publicised after a fixed period.

      Maybe have the ability to extend it by a maximum of a month if the vendor negotiates it. (That's where they went wrong in the case of Microsoft recently.)

      If you report something, then don't hear from the vendor, I think it reasonable to go public with the details, and 14 months is more than long enough!

  3. Mage Silver badge
    Happy

    Ah Comments.

    Only one of my many WP sites accepts comments. They are 100% moderated, you can safely see them on Admin page without risk and trash them.

    1. jde96
      Stop

      Re: Ah Comments.

      It says in the article that viewing the malicious comment in the admin panel is exactly how the admin account is compromised...

      1. Ole Juul

        Re: Ah Comments.

        I noted that admin is vulnerable too, but I'm patched on all sites. However, a 64KB comment is half a book so I'm not sure I'd be tempted to click on it anyway.

      2. Anonymous Coward
        Coat

        Re: Ah Comments.

        Don't forget to block the retarded 'pingback' stuff. I saw a few XSS attempts coming in through that backdoor.

        I'll get me coat... had enough of WP's crap security and emergency updates.

  4. Olius

    Mitigation...

    I wonder if setting post_max_size in php.ini to less than 64k could be a good workaround for people who can't upgrade their WP today. Obviously it might cause problems for other non-wp sites on a shared server. It might also cause problems if other WP functions need to do huge posts. I might check if this works later if I have time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mitigation...

      You can get owned by a ~200-char comment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like