security alert

Hi @abigailm,

I appreciate your efforts to suggest a mitigation to users, but I have determined that my sites are not subject to this vulnerability because of hosting configuration…

Notice above I said that “If a server is configured properly, it won’t be an issue.” If your server settings are properly configured then you don’t need to do anything further. However, you mentioned that your site was not vulnerable because of this:

it requires an individual site to be accessible by IP address, so will not work for most sites on shared servers. Only for poorly configured dedicated servers.

That statement is unfortunately not accurate. I can show you a number of (good) shared web hosts that allow access to the site via IP Address. There are a number of other issues with that quote, but I won’t bore you with details.

So if you’re resting on that, then your site is not necessarily immune.

Here’s a good article that sums up why most security experts seem unconcerned…

The real reason why most security experts aren’t that concerned, is that we know how to properly secure/configure our sites, and our client sites, so this exploit could never get off the ground in the first place.

In any case, my only point is that WordPress has not patched this and apparently does not see a patch as a high priority.

That shouldn’t be seen as a reason not to take a security issue seriously. They have been alerted about this issue for years, and are only now addressing it because it has gotten more public notice.

While the core dev team does do an overall good job with security, there are areas where they lack security expertise.

It’s great that your site and server is secure, but please don’t advise other users not to take security issues seriously. Each site owner will need to asses their own site security issues individually.

In any case, we’re preparing the next version of WP-SpamShield, which will mitigate the issue.

– Scott

I can show you a number of (good) shared web hosts that allow access to the site via IP Address

That would require the site in the shared environment to have its own dedicated IP.

From: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

V. PROOF OF CONCEPT
————————-

If an attacker sends a request similar to the one below to a default WordPress
installation that is accessible by the IP address (IP-based vhost):

—–[ HTTP Request ]—-

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

————————

Wordpress will trigger the password reset function for the admin user account.

Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker’s choice.

Each site owner will need to asses their own site security issues individually.

Seems to me that the logical course of action would be to advise web site owners as to how to test their own site configuration. It’s easy enough to construct a post request in the form of [IP]/[directory]//wordpress/wp-login.php?action=lostpassword and see where it routes.

That would require the site in the shared environment to have its own dedicated IP.

While that’s the most straight forward, a dedicated IP isn’t required. Don’t forget about Temporary URL’s such as hxxp://11.22.33.44/~username/

It’s easy enough to construct a post request in the form of [IP]/[directory]//wordpress/wp-login.php?

True. You don’t even need a POST request…it’s even easier. Just use a GET request to your /wp-login.php page. (Or any page really.) Go to a browser, and see if you can visit your site by IP address (or any other host name). The .htaccess snippet above makes sure you can’t visit it by IP, or by any other domain. It has a side benefit that’s been long-known to help SEO as well: It prevents duplicate content issues in search engines by making sure that you don’t have both the www. and non www. versions of your site indexed. Let alone by IP address. If someone linked to your site using it’s IP Address, that could get indexed. (Not so likely, but still possible.)

If you have access to your Apache config, what you want is Canonical Hostnames. This can be done either in your main server configuration file, or in an .htaccess file.

The .htaccess snippet above makes sure you can’t visit it by IP, or by any other domain.

But the point is that it the .htaccess snippet isn’t necessary if the site configuration already prevents access by IP. So I’d just think it would make more sense overall for someone to write a script to test the site for the vulnerability than to put out a suggested fix that most users probably don’t need. (I’m not suggesting that YOU create the script — just that it would be easy enough to do )

I personally don’t like to clutter up files with unneeded code– so I’m not going to spend my time editing .htaccess files on a bunch of different sites when it only takes a couple of minutes to figure out that my sites aren’t vulnerable.

I don’t have a problem with you providing the information about the .htaccess edit – that’s fine. I jut personally think that for people managing multiple sites it is time consuming and there’s a whole lot of user-error things that can go wrong when unsophisticated users start editing .htaccess files. So I just think it would be more efficient to test first.

Yes, that definitely would be handy for someone to write a script to test.

You’re free to attack the issue in any manner you like. Whatever works best for you. ??

Hello everyone,

Just a quick update: WP-SpamShield version 1.9.9.9.9 has been released now, and provides mitigation for the CVE-2017-8295 WordPress zero-day exploit. Please see the changelog for more info.

– Scott

I cant believe it!!!!

Now all of my clients are getting a fresh warning – AGAIN!!!!

SECURITY ALERT: Insecure WordPress version detected. Your site is running WordPress version 4.7.5, which has 1 known security vulnerabilities. You should upgrade WordPress as soon as an update is available. If no update is available yet, then it may be necessary to apply other threat mitigation solutions. More Information.

THIS IS JUST RIDICULOUS

Yep. WordPress did not fix the vulnerability in the new security updates released today. Version 4.7.5 and all WordPress versions still have the vulnerability.

However, WP-SpamShield users are protected as of version 1.9.9.9.9.

then way are you splattering this huge red warnings across every website…

all our users are very non technical, we make sure all their websites are upto date and secure and on very good hosting etc…

your warnings are just confusing our clients.

and if you now say that your plugin protects the vulnerability then why are you still showing the warning????

@mikes-1,

Ok, please try to tone this down a bit. Flaming at us is not going to help anything. I would suggest that you target that frustration elsewhere.

then way are you splattering this huge red warnings across every website…

Those are standard WordPress admin warnings. We added clarification since your initial support request, so users have more info, and know where the warnings come from, and where the data comes from.

and if you now say that your plugin protects the vulnerability then why are you still showing the warning????

The data comes from an external database. We had no idea that WordPress would release a security update, and yet not fix a known security issue. That’s the real issue.

If you noticed, we released our last update before the new WordPress was released. Unfortunately we can’t see into the future.

Instead of flaming at us, I would suggest simply communicating with your clients, that WordPress did not fix the issue, and that WP-SpamShield protects their sites. (Or if you have mitigated the issue by other means, then let them know that.)

We’ve done nothing but try to help you out. We’re not going to respond to any more of these types of messages on this thread.

If you have any further issues, you’ll need to direct them to the WP-SpamShield Tech Support Page.

– Scott

looks like ill just be changing over to paid version of https://cleantalk.org/

less stress and customer confusion

I would repeat my earlier suggestion that with the next upgrade, WP-Spamshield be modified to:

A. Provide setting option to disable display of the WP security warning*
B. Suppress security warnings if latest version of WP is already installed.

*I’d note that this particular alert is only useful on sites that are not being regularly updated. Users who have WordPress set to auto-update and/or are using other security software like Wordfence to monitor for updates don’t need the added function.

@mikes-1

I’m sorry to hear you feel that way, but you’re always free to do as you like.

@abigailm

Thanks for your feedback, we always take that into consideration.

I just wanted to chime in to agree with others here – while I understand why you feel it necessary to post this alert… I don’t use WPSS for security. I use it to prevent spam, period. So, at the very least, it’d be awesome if you offered the option to suppress these messages across the board.
I too, have a whole bunch of alarmed folks who, just over the past 24 hours, are getting this message despite just having upgraded to the latest version of WP.
And thanks for a great plugin!

Hi @iamediaworks,

I don’t use WPSS for security. I use it to prevent spam, period.

It’s important to remember that anti-spam and security are tightly intertwined, so even though you may not realize it, WP-SpamShield does quite a bit behind the scenes to improve site security. Granted, not many anti-spam plugins have the strong security focus that we do, but they’re also not as good at fighting spam. Security has always been a huge part of WP-SpamShield’s core values.

In 2017, it’s more important than ever for site owners to educate themselves on cybersecurity — at least the basics. We’re doing our part to help educate users on security. The vast majority of our users appreciate this.

The most recent version of WP still has the vulnerability, so that was not a mistake, and should not be ignored. We were surprised to see that they did not patch that issue. We just released an update, and since WP-SpamShield mitigates the security threat, users will not see the alert.

We appreciate the feedback and will consider that for the future.

And thanks for a great plugin!

You’re quite welcome! ??

– Scott