Keep your blogs updated!

This past week was a particular nasty week for WordPress users who do not keep their software up-to-date.  If you’re Worpress installation is before 2.8.4 and you haven’t been hit by the worm circuling the globe, please update ASAP!  You can get the latest version at http://wordpress.org/download/.  This worm used a known and patched SQL injection vulnerability to register a new user as admin, and then post spam to the blog.  A SQL injection vulnerability occurs when a web page does not correctly scrub input from a user and allows the attacker to execute their own SQL statement.

For those who have no idea what any of that means, I’ll try to break it down more.  Whenever you visit a website and there’s a box that you type in and then click a button, what you enter into that box is user input.  This could be the search box on Google, or the Username box when you login to your email.  Either way, the code on the backend takes what you enter and does something with it.  Without any extra work by the developer of the web page your visiting, that box will accept any character you enter, and basically enter it into that pages code as if it were always there, typed in originally by the page designer.  So, lets say we have a textbox called username, and some code that accepts the username then logs in.  The login page has a variable called $Username that whatever you type into the username textbox gets put into.  So if your username is bamed, the code will look like:

Select * from users where username=’bamed’;

Notice, the word bamed is inside single quotes (‘).  Here’s where a simple SQL injection might work.  Instead of typing bamed into the username box, I type bamed’;Insert into users (username,password,admin) values(‘pwned’,'secret’,'True.  Now the code sees:

Select * from users where username=’bamed’;Insert into users (username,password,admin) values(‘pwned’,'secret’,'True‘;

So the page will actually execute what I typed into the login box, even if my login credential aren’t correct, becase it sees the single quote(‘) that I typed in as the end of the first statement and runs the second statement as if it were something put in there when the page was first created.  BTW, this is just a proof of concept example and won’t actually work!  If you don’t understand SQL, which is the scripting language of databases, what I did was tell the database to add a new record in the users tables for a user names pwnes with password secret who was an administrator.

Anyway, more details on the WordPress attacks can be found at http://www.guardian.co.uk/technology/blog/2009/sep/05/wordpress-hacked-blogs-threat