Categories
Technology Weblogging

First change

The first changes being made to the initial snapshot of the WordPress 1.3a code is to incorporate the ‘floating cloud’ design currently being used at Burningbird into a 1.3 theme. While I’m at it, I’m also moving the default pages down into the themes directory, to minimize the number of files at the root directory of the installation.

While I’m making the changes, pages and links may break from time to time. When finished, this effort should also be usable as a template/theme for WordPress 1.3a, and will incorporate, among other things: live comment preview, post-comment editing, and comment spell checkings.

Categories
Technology Weblogging

Second change

A vulnerability was discovered with WordPress 1.2.1 and 1.3a, as detailed here and in a forum thread for WordPress, here. This was caused by the fact that an important system variable, siteurl is modified in wp-login.php if the application detects that the URI used to access wp-login.php has changed from what’s stored in the database.

As detailed in both of the above locations, there is usually more than one way to access a specific file, and accessing the file using different variations of URL results in a change to this value that could cause problems with the site. At a minimum, it could result in unnecessary updates to the database.

The current WordPress release was modified to lessen the amount of destructiveness of this vulnerability, but it hasn’t eliminated the problem completely. To fix the remaining vulnerability, I’ve removed the code that updates this value in the database from wp-login.php (though I’ve left the option in the database for now). Unfortunately, this leaves the original problem that served as reason for this code, which is to make it easier to move your WordPress weblog if you need to. Without this code, moving your weblog to another directory can make the administrative pages impossible to access. When I removed the vulnerability, I added back this problem.

To fix this original problem, I added SITEURL as a new parameter to the wp-config.php file, now renamed wf-config.php to differentiate it from the WordPress file. Now, when the WordPress weblog is moved, you can use a text editor to change this value:

define (’SITEURL’, ‘http://wordform.org’);

I also modified the code in the functions.php file that loads siteurl from the database, setting the cached values to that of SITEURL from the wf-config.php file.

if (’siteurl’ == $option->option_name) {
$option->option_value = preg_replace(’|/+$|’, ‘’, SITEURL);
}

This is an interim fix, while the rest of the code is adjusted not to depend on this as an option loaded from the database. Once I’m sure this is so, I’ll remove the option from the database.

Categories
Weblogging

Quick update on Kitchen

Just a quick note to say that the Kitchen is still open for those who would like to post at the site. I did close it down at one point when the security problem happened a week ago, but it’s still open for writing and comments.

Currently, I’m editing Frank Paynter’s long posting on Why do we Blog — not content, the formatting. When Frank sent it to me in an email, copying it into the tool added unfortunate line breaks and they’ve caused problems. It should be much more readable now, or you can see the original at Frank’s.

There are some very interesting and compelling responses in this work, but I have to say, my favorite response is Happy Tutor’s, at the end.

Categories
Weblogging

What? No nomination?

Recovered from the Wayback Machine.

I see that none of you nominated me in any of the categories at the 2004 Weblog Awards including the technical category. Or the photoblog category. Or in the “Small Mammal” category, which I think I was last time I looked.

Luckily there’s no ‘hiking weblog’ category, or you’d all be dirt right now.

Somehow, and it was tough I was so crushed, I have managed to swallow my disappointment and have gone out and cast votes for other people who were nominated –Molly and Meg for technical (taking turns daily), Meryl Yourish in her category, Feministe in her’s. If you’re nominated and I know you, holler and I’ll vote for you, too. Do remember, though, that this is the same award last year that created a separate category just for women bloggers, leading to one of my better posts: Best Blog with a Female Spirit.

The 2004 Weblogging Awards is put on by the Wizbang weblog, known far and wide for its even handed coverage of politics. Yup, the only weblog more balanced is Little Green Footballs, who I have no doubt will win best blog.

(The Greenies are legendary in their fanatical devotion to Charles – look at how they screwed up Wikipedia.)

However, I think the awards are missing one category: The Mr. Rogers as Warblogger Award. This award would be for the person whose weblog writing best represents a weblog written by Mr. Rogers…if he were a warblogger.

Oh, hello Iraq. Boys and Girls, this is Iraq. Can we all sing hello to Iraq?

It’s a beautiful day in this neighborhood,
A beautiful day for a neighbor.
Would you be mine.
Could you be mine.
It’s a neighborly day in this beauty wood,
A neighborly day for a beauty
Would you be mine.
Could you be mine.
I have always wanted to have a neighbor
Just like you.
I’ve always wanted to live in a neighborhood
With you, so
Let’s make the most of this beautiful day
Since we’re together,
We might as well say,
“Would you be mine, could you be mine,
Won’t you be, my neighbor?”
Won’t you please?
Won’t you please?
Please won’t you be
My neighbor?”

Welcome, neighbor, to this, neighborhood. You know how I like freedom. I’d like to talk to you about freedom. We usually talk over there on the couch, so let’s just go there. [gets up, sits over on the couch] Our special talking place. This talk is called “Fighting Terrorism and making the world safe for people like you and me.”

And for this award, I’d like to nominate Jeff Jarvis and the entire Spirt of America: Friends of Iraq campaign. I’ll even donate a red, white, and blue sweater as prize.

Categories
Weblogging

Kitchen was hacked

Recovered from the Wayback Machine.

The IT Kitchen was badly hacked. I had thought I had set the user permissions up so that this couldn’t occur, but obviously not.

Due to this, the Kitchen is closed, probably permanently.

I found the problem that led to the unusability – the siteurl had been changed in the database. This should not have been editable by any of the accounts on the site but admin, so not sure where the ‘hole’ is. I’ll review the logfile.

WordPress users note–critical bug found

This is a vulnerability in 1.21.2.1 WordPress weblogs in addition to 1.3a, as has been noted here with a possible workaround, fix.

This isn’t a hack, as it is a serious bug in the code impacting on both 1.2.1 and 1.3 users. I’m still reading through the notes on this, but I’ve commented out the offending line in the wp-login.php file and we’ll see if that works for now–at least until the WordPress developers respond with something.

What seems to be happening is if the site request differs from the URL contained in the options table, WordPress attempts to ‘fix’ the problem, by making a modification of the URL. So it would seem that if someone tried to login using http://www.itkitchen.info, rather than http://itkitchen.info, under the right circumstance, this literally broke the site.

There seems to be an .htaccess fix, but I removed the line that ‘attempted to fix’ the value – because that’s a scary damn line to have in an exposed file like this.

 

Final Update

This was either a deliberate exploitation of a known WordPress vulnerability, or a bizarre case of cookies gone mad.

If you type something like the following at IT Kitchen, before I took out the update. you would break the site:

http://www.itkitchen.info/wp-login.php/wp-content/themes/kubrick/style.css

That’s it; that’s all you need to do. Just that – not a damn thing else. You don’t need an account, a user login, nothing. Just that URL. What triggered this is that http://www.itkitchen.info is not the same url as http://itkitchen.info. But what made it devestating was the addition of wp-content material. This makes it so that the site breaks completely.

Now, it’s easily fixed. Just do something like the following:

http://itkitchen.info/wp-login.php

This resets it back correctly.

I am pretty sure that no matter how you protect your site with .htaccess rules, I can easily hack your site in this way. Find the following line in wp-login.php and remove it:

if ( dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) != get_settings(’siteurl’) )
update_option(’siteurl’, dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) );