Kitchen was hacked

Recovered from the Wayback Machine.

The IT Kitchen was badly hacked. I had thought I had set the user permissions up so that this couldn’t occur, but obviously not.

Due to this, the Kitchen is closed, probably permanently.

I found the problem that led to the unusability – the siteurl had been changed in the database. This should not have been editable by any of the accounts on the site but admin, so not sure where the ‘hole’ is. I’ll review the logfile.

WordPress users note–critical bug found

This is a vulnerability in WordPress weblogs in addition to 1.3a, as has been noted here with a possible workaround, fix.

This isn’t a hack, as it is a serious bug in the code impacting on both 1.2.1 and 1.3 users. I’m still reading through the notes on this, but I’ve commented out the offending line in the wp-login.php file and we’ll see if that works for now–at least until the WordPress developers respond with something.

What seems to be happening is if the site request differs from the URL contained in the options table, WordPress attempts to ‘fix’ the problem, by making a modification of the URL. So it would seem that if someone tried to login using, rather than, under the right circumstance, this literally broke the site.

There seems to be an .htaccess fix, but I removed the line that ‘attempted to fix’ the value – because that’s a scary damn line to have in an exposed file like this.


Final Update

This was either a deliberate exploitation of a known WordPress vulnerability, or a bizarre case of cookies gone mad.

If you type something like the following at IT Kitchen, before I took out the update. you would break the site:

That’s it; that’s all you need to do. Just that – not a damn thing else. You don’t need an account, a user login, nothing. Just that URL. What triggered this is that is not the same url as But what made it devestating was the addition of wp-content material. This makes it so that the site breaks completely.

Now, it’s easily fixed. Just do something like the following:

This resets it back correctly.

I am pretty sure that no matter how you protect your site with .htaccess rules, I can easily hack your site in this way. Find the following line in wp-login.php and remove it:

if ( dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) != get_settings(’siteurl’) )
update_option(’siteurl’, dirname(’http://’ . $_SERVER[’HTTP_HOST’] . $_SERVER[’REQUEST_URI’]) );

Print Friendly, PDF & Email