Categories
Technology Weblogging

Second change

A vulnerability was discovered with WordPress 1.2.1 and 1.3a, as detailed here and in a forum thread for WordPress, here. This was caused by the fact that an important system variable, siteurl is modified in wp-login.php if the application detects that the URI used to access wp-login.php has changed from what’s stored in the database.

As detailed in both of the above locations, there is usually more than one way to access a specific file, and accessing the file using different variations of URL results in a change to this value that could cause problems with the site. At a minimum, it could result in unnecessary updates to the database.

The current WordPress release was modified to lessen the amount of destructiveness of this vulnerability, but it hasn’t eliminated the problem completely. To fix the remaining vulnerability, I’ve removed the code that updates this value in the database from wp-login.php (though I’ve left the option in the database for now). Unfortunately, this leaves the original problem that served as reason for this code, which is to make it easier to move your WordPress weblog if you need to. Without this code, moving your weblog to another directory can make the administrative pages impossible to access. When I removed the vulnerability, I added back this problem.

To fix this original problem, I added SITEURL as a new parameter to the wp-config.php file, now renamed wf-config.php to differentiate it from the WordPress file. Now, when the WordPress weblog is moved, you can use a text editor to change this value:

define (’SITEURL’, ‘http://wordform.org’);

I also modified the code in the functions.php file that loads siteurl from the database, setting the cached values to that of SITEURL from the wf-config.php file.

if (’siteurl’ == $option->option_name) {
$option->option_value = preg_replace(’|/+$|’, ‘’, SITEURL);
}

This is an interim fix, while the rest of the code is adjusted not to depend on this as an option loaded from the database. Once I’m sure this is so, I’ll remove the option from the database.

Categories
Weblogging

Quick update on Kitchen

Just a quick note to say that the Kitchen is still open for those who would like to post at the site. I did close it down at one point when the security problem happened a week ago, but it’s still open for writing and comments.

Currently, I’m editing Frank Paynter’s long posting on Why do we Blog — not content, the formatting. When Frank sent it to me in an email, copying it into the tool added unfortunate line breaks and they’ve caused problems. It should be much more readable now, or you can see the original at Frank’s.

There are some very interesting and compelling responses in this work, but I have to say, my favorite response is Happy Tutor’s, at the end.

Categories
Weblogging

What? No nomination?

Recovered from the Wayback Machine.

I see that none of you nominated me in any of the categories at the 2004 Weblog Awards including the technical category. Or the photoblog category. Or in the “Small Mammal” category, which I think I was last time I looked.

Luckily there’s no ‘hiking weblog’ category, or you’d all be dirt right now.

Somehow, and it was tough I was so crushed, I have managed to swallow my disappointment and have gone out and cast votes for other people who were nominated –Molly and Meg for technical (taking turns daily), Meryl Yourish in her category, Feministe in her’s. If you’re nominated and I know you, holler and I’ll vote for you, too. Do remember, though, that this is the same award last year that created a separate category just for women bloggers, leading to one of my better posts: Best Blog with a Female Spirit.

The 2004 Weblogging Awards is put on by the Wizbang weblog, known far and wide for its even handed coverage of politics. Yup, the only weblog more balanced is Little Green Footballs, who I have no doubt will win best blog.

(The Greenies are legendary in their fanatical devotion to Charles – look at how they screwed up Wikipedia.)

However, I think the awards are missing one category: The Mr. Rogers as Warblogger Award. This award would be for the person whose weblog writing best represents a weblog written by Mr. Rogers…if he were a warblogger.

Oh, hello Iraq. Boys and Girls, this is Iraq. Can we all sing hello to Iraq?

It’s a beautiful day in this neighborhood,
A beautiful day for a neighbor.
Would you be mine.
Could you be mine.
It’s a neighborly day in this beauty wood,
A neighborly day for a beauty
Would you be mine.
Could you be mine.
I have always wanted to have a neighbor
Just like you.
I’ve always wanted to live in a neighborhood
With you, so
Let’s make the most of this beautiful day
Since we’re together,
We might as well say,
“Would you be mine, could you be mine,
Won’t you be, my neighbor?”
Won’t you please?
Won’t you please?
Please won’t you be
My neighbor?”

Welcome, neighbor, to this, neighborhood. You know how I like freedom. I’d like to talk to you about freedom. We usually talk over there on the couch, so let’s just go there. [gets up, sits over on the couch] Our special talking place. This talk is called “Fighting Terrorism and making the world safe for people like you and me.”

And for this award, I’d like to nominate Jeff Jarvis and the entire Spirt of America: Friends of Iraq campaign. I’ll even donate a red, white, and blue sweater as prize.

Categories
Weblogging

Kitchen was hacked

Recovered from the Wayback Machine.

The IT Kitchen was badly hacked. I had thought I had set the user permissions up so that this couldn’t occur, but obviously not.

Due to this, the Kitchen is closed, probably permanently.

I found the problem that led to the unusability – the siteurl had been changed in the database. This should not have been editable by any of the accounts on the site but admin, so not sure where the ‘hole’ is. I’ll review the logfile.

WordPress users note–critical bug found

This is a vulnerability in 1.21.2.1 WordPress weblogs in addition to 1.3a, as has been noted here with a possible workaround, fix.

This isn’t a hack, as it is a serious bug in the code impacting on both 1.2.1 and 1.3 users. I’m still reading through the notes on this, but I’ve commented out the offending line in the wp-login.php file and we’ll see if that works for now–at least until the WordPress developers respond with something.

What seems to be happening is if the site request differs from the URL contained in the options table, WordPress attempts to ‘fix’ the problem, by making a modification of the URL. So it would seem that if someone tried to login using http://www.itkitchen.info, rather than http://itkitchen.info, under the right circumstance, this literally broke the site.

There seems to be an .htaccess fix, but I removed the line that ‘attempted to fix’ the value – because that’s a scary damn line to have in an exposed file like this.

 

Final Update

This was either a deliberate exploitation of a known WordPress vulnerability, or a bizarre case of cookies gone mad.

If you type something like the following at IT Kitchen, before I took out the update. you would break the site:

http://www.itkitchen.info/wp-login.php/wp-content/themes/kubrick/style.css

That’s it; that’s all you need to do. Just that – not a damn thing else. You don’t need an account, a user login, nothing. Just that URL. What triggered this is that http://www.itkitchen.info is not the same url as http://itkitchen.info. But what made it devestating was the addition of wp-content material. This makes it so that the site breaks completely.

Now, it’s easily fixed. Just do something like the following:

http://itkitchen.info/wp-login.php

This resets it back correctly.

I am pretty sure that no matter how you protect your site with .htaccess rules, I can easily hack your site in this way. Find the following line in wp-login.php and remove it:

if ( dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) != get_settings(’siteurl’) )
update_option(’siteurl’, dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) );

Categories
Copyright Weblogging

Always off

Is this still on? Testing, testing.

Can you hear me? Good!

Frank Paynter is surveying several people about why they blog for a post he’s writing for the Kitchen. When he asked the question, I had a hard time answering. It wasn’t that I didn’t have good reasons to blog, because I do. In fact I have dozens of good reasons, hundreds! Give me several hours and I could, and probably would write them out into a post.

Of course, then there would be another day where I sat down at my computer in the morning just to check what’s new only to surface in mid-afternoon, wondering where the day’s gone. A better question for me isn’t why do I weblog, but why I do it so much.

The hype behind broadband is that you’re ‘always on’. I could be the poster child for ‘always on’ because lately that’s a pretty good description of my life on a day to day basis. As for my roommate, switch internet for TV and you could describe him, at least on the weekends.

So, as an experiment, I’ve set up my home laptops to do the work I normally do on my server, and I’ve gone out and saved several web pages of research for a new article, and today I’ll disconnect the cable modem. We’ve already disconnected the digital cable converters, and I’ll take them and the modem down to Charter.

If something goes wrong with my web sites, Hosting Matters will either correct the problem or keep it from being a problem for anyone else, and I’ll make any fixes I need when I connect. As for the Kitchen, I’ve tried to make this as self-sufficient as possible, because the strength of that effort should be in the fact that it’s not dependent on any one person.

I’ll be slower to respond to email, but I don’t think anyone will mind. I’ll post less, but most of us are posting less. In fact, you’re probably indifferent as to the state of my connectivity, but I want to provide a heads up for anyone who might be expecting responses from me.

I don’t plan on being offline at home forever–just for a couple of months, see how it goes. Maybe less. Maybe more.

All well and good, but what I hadn’t counted on is how all of this is going to impact on Zoe. You see, every morning after she gets breakfast, Zoe comes in and curls up on my cable digital converter box. This morning, it wasn’t there, so she had to make do. Tomorrow, even that will be gone. Poor dear.