Wordpress security vulnerability and mitigating strategies.

Apr 24, 2008

For the past couple of weeks the information security community has been noticing someone exploiting a new vulnerability in the Wordpress blogging software that lets the attacker inject arbitrary HTML code into the content from outside. So far, what has been seen is an
..
HTML entity containing multiple hyperlinks to other sites, presumably for the purpose of artificially bumping up someone's search engine rankings. Both the height and width of the injected HTML code are usually set to zero pixels each, but I've seen a couple of instances of one-by-one
..
entities as well. It stands to reason that pretty much any single-digit sizes could be used because they'd be too small to be seen by the average human reader, but they're perfectly detectable by web spiders indexing the afflicted sites.

I feel that I should point out that whomever is doing this is just injecting links into other people's blogs, at least right now. They could just as easily be injecting malicious Javascript, object references to malicious Flash animations that can compromise the user's system, or possibly variants of the IFRAME exploit that are spreading like wildfire across the web.

Peter Hosey has noticed that Wordpress' xmlrpc.php file, which is used by personal blogging clients (as opposed to using your web browser to log into the back-end) is implicated in these shenanigans. I'm not a Wordpress user, but renaming that file to something else (like squid-bacon-and-tomato.php) might slow the attackers down, depending on your sense of humor.

After hearing word of this exploit in the wild, the Prometheus Group developed a mod_security rule that filters out the injected HTML. You can download the virtual patch here and load it into your server's mod_security configuration. As more information is uncovered, the rule will probably be updated or others will be released to the public.

(obDisclaimer: I work for the Prometheus Group. I'm trying to be a good Samaritan by spreading this around.)