HomeVulnerabilities
January 25, 2012, 7:57AM

Multiple Bugs Haunt WordPress Setup

Wordpress bugsResearchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they're not planning to fix the vulnerabilities as there's only a small possibility of exploitation by attackers.

The flaws were found by researchers at TrustWave's SpiderLabs, and in their advisory on the WordPress bugs, they describe how attackers would be able to exploit them. In the advisory, the researchers also include code that can be used to demonstrate the problems. Executing attacks on the vulnerabilities does require some specific conditions to be present.

"The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting," the advisory says in describing the XSS and PHP code execution bugs.

There also are other XSS vulnerabilities in the setup page for WordPress installations.

"The WordPress 'setup-config.php' installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission button, the javascript is rendered in the client's browser," the advisory says.

Officials from WordPress said that there is little risk of exploitation, so they will not be publishing patches for the vulnerabilities.

"We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small," WordPress officials said in response to the disclosures.

 

Recommended Reads


Commenting on this Article will be automatically closed on April 25, 2012.

Comments

Submitted by Anonymous (not verified) on Wed, 01/25/2012 - 10:03am.

"WordPress officials say that they're not planning to fix the vulnerabilities as there's only a small possibility of exploitation by attackers."

 

Proves that they dont care about security and that their products and services should be abandoned by all.

Submitted by Anonymous (not verified) on Wed, 01/25/2012 - 1:49pm.

Easier said than done if you aren't computer literate and you pay folks to set things up.  You just have to hope for the best.  WordPress if free, so I can see why whoever maintains and runs it for nothing isn't gung-ho to fix this.

Submitted by Anonymous (not verified) on Wed, 01/25/2012 - 4:43pm.

What's a good alternative to Wordpress for someone who wants to link a blog to a website.  That's for someone who doesn't know codes.

Submitted by Anonymous (not verified) on Wed, 01/25/2012 - 7:54pm.

Your comments prove that you do not fully understand the situation, maybe you should do some research before you jump to conclusions. If a blog is fully set up (not a very long or dificult process) the attack window closes. Stop commenting on things you do not understand.

Submitted by Joetke (not verified) on Thu, 01/26/2012 - 4:03am.

Why are you that RUDE? Each and every minute Microsoft Teams MAKE THE SAME DECISION about security threats FIXES they POSTPONED arguably, just for some respectable cost considerations and PRIORITY as well. Probabilities is USED in so many AREAS (insurances etc...) that BEING A PURIST looks like HAVING NOT GOT THE BIG PICTURE! AT ALL!

IMHO, you should throw away Windows 7 whatsoever, before feeling neglected by an open source blog service, which IS NOT PERFECT, but which is NOT THAT BAD at users, as your stance might suppose.

Submitted by Brian James (not verified) on Thu, 01/26/2012 - 7:38am.

It is good to know about this flaw. I use wordpress to all my sites.

 

Submitted by Anonymous (not verified) on Mon, 01/30/2012 - 8:28pm.

One very important thing to keep in mind is backup folders.  Once you rename a /wordpress or /blog folder with a backup name, this breaks the installation and re-opens the vulnerability...  Thanks for this post - we're ridding this file from active/inactive Wordpress installations.

Post new comment

The content of this field is kept private and will not be shown publicly.

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy