Sunday, July 18, 2010

Design Flaw that hurts Word Press bloggers

As most of you may aware couple of days ago high number of word press bloggers account has been attacked due to a design flaw in the Word press blogging platform. Main cause is by default WP allows users to set up a permissions that let any one to read their blogs  wp-config.php file s configuration files. And another reason is Word press stores the bloggers credential in plan text.
Attack happens by attacker injecting malicious i Frames into the blogs so that readers who visit the blog would automatically get infected with malware with a code that spreads fake anti virus software..Wprd press says
"A few people got hacked last week and asked us to help," says David Dede, founder of Sucuri Security, which also uses WordPress for its own blog. "We fixed them and in one site, just after we fixed it, it got hacked again. Looking at the logs, we didn't see any access in there at all, so the attack didn't come from the Web."
This apparent security oversight allowed an ill-intent individual with a hosting account on the same Network Solutions server to launch attacks against his "neighbors" using automatic scripts. First, he most likely identified WP blogs with a readable wp-config.php, then he harvested database login details from these files and finally used the credentials to inject malformed information into the "siteurl" database field.
[ad#Google Adsense-1 Add Links]
To hide the content of the wp-config.php file from server neighbors, David (Sucury Security) suggests that this file should have 750 permissions (I guess he meant 640 since the execution permission is not required). Unfortunately, this trick will only work on servers with suPHP. On other servers where web server executes PHP scripts with its own rights, this trick will completely break WordPress blogs. Every page will produce the “Failed opening required ‘wp-config.php’” error.
This means that WordPress blogs on most shared servers are vulnerable to this sort of attack. It merely takes to hack one account (most shared servers have multiple hacked accounts) or even to create a regular account specifically for hacking purpose and you can steal MySQL database credentials of your neighbors with WordPress blogs. Any other database driven web scripts that store database credentials in plain text are also vulnerable.
Some of the hacked sites contain hundreds of spammy links that can only be visible if you browse with disabled JavaScript. For some reason, every link is enclosed in <noindex>tags and use rel=”nofollow” in <a> tag’s parameters. So what’s the use if it is neither for normal web surfers nor for search engines?
The links are followed by the networkads hidden iframes.

I also found a dozen of infected WordPress blogs that try to pull hidden spammy links from hxxp://alkoltashov .narod .ru/ sites.txt. The links are supposed to be displayed in a <div> located way outside of the visible area, but because the configuration of Network Solutions servers that disable URL file-access, those link injections fail with the following error.
Dede and other experts say the attacks suffered by WordPress could happen to most any popular blogging platform: "It's a hard problem to fix. They need the credentials stored somewhere, and the Web server needs to be able to read it," Dede says. Joomla, Mediawiki, and other blogging platforms that are set up the same way are also vulnerable to this type of attack when the permissions in the configuration files are set up incorrectly, he says.
What about encrypting option ?
Encrypting the credentials isn't an option because the keys have to be stored where the Web server can read them in order to decrypt the data, he says.
Looks like it is important to store the decryption key in another file somewhere on the file system. If a malicious user has access to the file system -- like they appeared to have in this case -- it is trivial to obtain the keys and decrypt the information.
Source: Unmask parasite blogs, Dark Reading