dyske

@whooami

Liken it to voting, if you will, for simplicity — “if you dont vote you cant bitch”.

I’ve learned from this experience that your statement above is correct. In fact, I think www.remarpro.com should have a simple questionnaire that helps the users to decide whether to go with self-install (.org) or hosted (.com) where one of the questions is: “Are you willing to upgrade as soon as a new version is released?” If the user answers “no”, s/he should be redirected to wordpress.com instead of downloading the installer.

If the user needs to customize the site (beyond what wordpress.com allows), then s/he would probably be better off going with Blogger, which is more secure.

If such practical advice were given more prominently on www.remarpro.com, we would see much less “bitching”, and the web would be that much safer for it. “Voting” is a social obligation. The problem with WordPress is that most people are not aware of the fact that upgrading is an obligation when you install WP yourself; it is not a preference. This should be made clear to all self-installers.

@knowingart_com

There’s a good chance I may never upgrade. If I really want a new feature I can code it myself.

Not a bad idea. The thing is, upgrading does not necessarily make the site more secure. New features could introduce new security holes. It’s possible that WP 1.0 is still more secure than 2.8.4. (although I’ve never seen 1.0 myself). The introduction of all the new features and the complexity of code also introduce possible security vulnerabilities. This time the upgraders came across as the smart ones, but it’s possible that in the future, all the upgraders get hit by hackers who targeted the security hole in a new feature. If so, the upgraders could come across as the fools. You never know. There are plenty of very simple blog applications that never required any upgrading for years without getting hacked. The key is simplicity. So, any web app development is about striking the right balance that YOU want. WP is a good example of sacrificing security for the sake of features.

I just read Core Security Technologies’ bulletin. It’s a different issue, but it appears that fixing that security hole happened to fix this double-slash security hole also.

Core’s bulletin describes the hacker being able to access plugin pages. The problem we are dealing with on this thread deals with the hacker being able to access all the Options pages (including the Permalink Options page) just with a subscriber account and with adding another slash after wp-admin (e.g. /wp-admin//options-general.php)

It appears to me that as part of the fix to address the security hole discovered by Core, the development team added the “capability” checks more consistently across all the admin pages. So, this double-slash hack no longer works in 2.8.4. But, I’m not sure if the WP team was aware of the double-slash problem.

The following line to check user’s capabilities should have been added consistently to all the admin pages, but it appears that they were added little by little over the years:

if ( ! current_user_can('manage_options') )
	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));

The oldest version that I have at my disposal is 2.6, and I see some admin pages have this checking routine but many do not. As the version number increased, more of these checks were added. I’m not sure why the team decided to use it sporadically. Since the mechanism already existed in 2.6, why not use it consistently for all pages? Even the names of capabilities were already defined in 2.6, so I tried adding the lines above to all the admin pages in 2.6, and they worked fine. It’s somewhat strange to implement a nice mechanism but not use it.

In any case, as far as I can tell, this hack should not work on 2.8.4 because the second step of this hack (after creating a subscriber account) requires access to the Permalink Options page via a subscriber account. I tried but it didn’t work.

Yeah, I’m going to bed now.

Sorry, I just realized that the exported XML does not contain users table. It just exports all the posts, which are already public information. So, this isn’t so bad.

@whooami

It’s easy for webmasters and developers to say nobody should be using the old versions, but WordPress is being used by many people whose passion and professions are NOT maintaining websites and staying informed of the latest security threats. People just want to blog. Most people feel that upgrading their software once a year is good enough. If every blogger was a webmaster, the blogsphere would be nothing but people talking about blogs.

But this does make me think twice about recommending people to install WP. Those who do not have professional webmasters taking care of their blogs, should not install their own. They should just use the hosted version at wordpress.com.

@whooami

Yeah, somewhere between 2.8 and 2.8.2, they must have added the line below:

if ( !current_user_can('edit_files') )
	wp_die(__('You do not have sufficient permissions to export the content of this blog.'));

Basically any admin files that does not have the function current_user_can() at the top can potentially be accessed with the double slash hack.

I checked 2.8 vs 2.8.4. The function does not exist in the former but it does in the latter.

@whooami

I tested it on 2.8 and I just double-checked. I’m able to export.

The double slash hack does not even require any coding. Anyone can do this. All you have to do is register as a subscriber and then type in the URL to the admin pages with an extra slash.

I bet many spammers have already known about this for a while and they must have already visited all the popular WP blogs and downloaded their entire database. This would explain many strange user registrations in the past few weeks.

OK. This might cause a panic, but /wp-admin//export.php is fully functional. This means that a mere subscriber can download your entire database as an XML file, including all your email addresses.

If for whatever reason, you cannot upgrade (because of the plugins or because you modified the admin), just add the following lines at the top of the options pages in wp-admin:

require_once('admin.php'); // This is already here

// Add these lines...
if ( ! current_user_can('manage_options') )
	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));

@rwboye

I cannot hack into your blog because you don’t allow people to register. I realize that this is the first line of defense, although this would not protect you from the hacker who already registered before you disabled the registration.

Wait, this is a serious flaw. I just realized that by using the double-slash scheme I can access pretty much any options pages, including the general options. So, everyone REALLY needs to upgrade to 2.8.4.

The double-slash scheme to get to the Permalink Options page does NOT work for 2.8.4 (the latest). So, I guess the people at Automattic was already aware of this and fixed it.

@kirkpete

I’ve deleted “admin” user from all my sites. As long as there is one other person with the admin privileges, WP will let you delete “admin”.