Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

WordPress 1.5.2 Security FUD

There is some misleading FUD going around about a vulnerability in WordPress 1.5.2.

Let’s get this out of the way plainly: There is not a code execution vulnerability in WordPress 1.5.2.

Now, a little more explanation of how this came into question: There was some communication between the person who discovered the problem (Stefan Esser, to the best of my knowledge) and Matt. Matt formulated a fix, which was checked into the repository and which went through a couple of iterations. At some point, Matt posted a new downloadable archive on wordpress.org. But then he realized that the bugfix wasn’t complete. He updated the code again, and posted a new archive for download. At this point, Matt posted the official announcement of the availability of WordPress 1.5.2.

Unfortunately, the security researcher downloaded the faulty 1.5.2 archive (before it was announced, remember), and concluded that the new release was still vulnerable. But again, this is not the case. If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.

The only problem here was one of communication. In the interest of fairness, Stefan acknowledged the update (though in a confrontational manner).

UPDATE: As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Community, Security, Software, WordPress and tagged , . Bookmark the permalink.

28 Responses to WordPress 1.5.2 Security FUD

  1. Pingback: Planeta WordPress

  2. Pingback: ryan kennedy’s blog

  3. Pingback: The RSS Blog

  4. Pingback: SitePoint Blogs

  5. Pingback: alexking.org: Blog

  6. Matt says:

    Everyone makes mistakes in code. Our original code was from the PHP manual, which apparently doesn’t work as intended. Stefen sent me two emails with code he said had a “serious bug” before a third one which was correct. We’re all human.

  7. As I was reading this post, the name “Stefan Esser” sounded really familair. Then I remembered where. He’s the guy who publically announced some security vulnerabilities in gaim’s yahoo code before we were able to create a version of the yahoo plugin that both worked and fixed the problem. This forced us to post http://gaim.sourceforge.net/index.php?start=34&limit=1 while we struggled to figure out what part of the yahoo protocol changes (partly fixed in 0.75) we were doing wrong.

  8. Dougal says:

    Disclosure terms are a constant bone of contention in the security community. Personally, I feel that “security experts” should make every effort to contact developers and give them adequate time (in Real World terms, accounting for weekends, timezones, sleep schedules, etc) to make fixes and announcements before disclosure.

    And I’m sure that we WordPress devs could do better about how we address our community regarding security related information, as well.

  9. Shanti says:

    But then all the ereet security d00ds wouldn’t get credit for discovering such hard-to-find vulnerabilities. (* Removes tongue from cheek)

  10. Mike Little says:

    . If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.

    There seems to be real evidence http://blog.php-security.org/index.php?url=archives/8-WordPress-irresponsible-silent-tarball-update.html&serendipitycsuccess=true#c41 that more than four hours elapsed between the devblog announcement and the updated tarball.

    Whilst Stefan’s methods and choice of language leave a lot to be desired, he seems to have a very valid point.

  11. Stefan says:

    I think over there in my blog I have pretty much proved that I am right.

    And the Gaim thing… Yeah Luke, you should tell the whole story, that you guys were insane enough to commit the security fixes and then after 10 days of skript kiddies knowing about the vulnerabilities from explicit commit messages in your CVS i went public with this an warned the users.

    Irresponsible people seem to have irresponsible friends.

    And btw Dougal: You are obviously getting the whole story wrong:

    I contacted Matt about this vulnerabilities AFTER 1.5.2 was released for 2 hours at least. I then learned that nothing was fixed. 7 hours later he had fixed it from my mail. It was not matt who formulated a fix. 2+7 means the vulnerable version was online for 9 hours.

    The timestamp of the WordPress 1.5.2 release clearly says that it was posted nearly 5 hours before the replacement tarball was created. With all the timestamps as evidence it is quite hard for you to twist the facts again. Or are you experts in travelling back in time?

  12. Marc says:

    Stefan’s language is a bit inflammatory, but I think that he has a valid point. It’s not good development practice to silently rev something that is public without changing the version number. That’s what the version number is for – to communicate changes so that people don’t have to peek inside archives and do MD5’s and such.

    In the company where I work, we have tools for uploading packages to a central repository and those tools now disallow uploading a package and overwriting an already-existing version. This is because there were too many complaints from people about the chaos that this practice caused.

    Occam’s Razor would suggest to me that this was probably more likely the result of laziness than some kind of marketing conspiracy.

    I would humbly suggest that the WordPress developers refrain from this practice for future issues. There is no shortage of version numbers and although it’s a little bit of hassle to bump a version number for a minor change, I think that it’s the necessary thing to do when so many people depend on this software.

    By the way, I say this as someone who got his blog hacked because he was slow to apply one of the 1.5 dot release security upgrades.

  13. Pingback: Marc Abramowitz » Blog Archive » My opinion of the WordPress 1.5.2 debacle

  14. Pingback: no wow

  15. Dougal says:

    I stand corrected. I didn’t double-check the timestamps, and I juggled things around somewhere. I definitely wasn’t trying to mislead anyone about the facts, so I don’t appreciate Stefan implying that I deliberately lied.

    And as I’ve already said, I think that we could definitely improve how we handle security announcements and updates.

    But I still don’t think that Stefan handled things very well, either. We definitely appreciate reports of bugs, especially ones which are security-related. But I don’t think it’s unreasonable to expect a certain level of professionalism from those who report them.

    A lot of of this is besides the point. The main thing I wanted to point out is that the current version available for download at this time does not have the vunerability. It’s unfortunate that a faulty version was up for any amount of time and that the corrected package didn’t get a new version number. This isn’t the first time that’s happened, but I hope it will be the last.

  16. Pingback: WordPress 1.5.2 [rebelpixel productions]

  17. markku says:

    Dougal, releasing the updated package as version 1.5.2.1 or whatever unique version number would’ve been more advisable. It removes any confusion concerning the quality (with respect to the reported vulnerability) of the code that is within the hands of the users. I had 1.5.2, but I didn’t know I was still vulnerable.

  18. Stefan (not Esser) says:

    I don’t like the idea that the ends justify the means. I see a lot of people saying that they don’t agree with the way Stefan behaves but appreciate his work. While I can agree that he often makes a positive impact, I don’t think it’s unreasonable to expect more mature behavior. The point is, Stefan could make a really positive impact, but the harm he does often matches the good he does. With a bit more professionalism, he could do really great things for us all. I do appreciate his work, but I can’t help but be very disappointed with his behavior. And I’m not just talking about the way he talks, but also his actions.

    I won’t point to specific instances, but he has a habit of public disclosure before a vulnerability has been fixed. There have even been cases where he has done this before notifying the developers. In cases where he does contact the developers first (like this one), he likes to publicize an exploit in the wild (if there is one) or “warn” users of the vulnerability, claiming that nothing short of irresponsibility could be the reason that no fix is available yet. This does not help.

    So, while I find fault in the way WordPress handled this particular event, I can’t excuse Stefan’s irresponsible and immature behavior. I say foul.

  19. Stefan says:

    LOL @ Stefan (not Esser)

    I wish people like you would not make things up to get arguments. Show me an instance, where I have disclosed stuff before the developer was contacted.

  20. POS Software says:

    Well, I fully agree with your comment. :-)

    BTW: I visited your blog earlier today and I just wanted to congratulate you on a well presented, and informative resource.

    It’s not often that I come across a web site that offers a wealth of quality. ;-)

    Martin (aka POS Software Man)

  21. Pingback: The Ten Thousand Year Blog » Blog Archive » Newer version of WordPress (1.5.2) available for download

  22. Robert says:

    How do i know if my WP 1.5.2. is ok or not?

  23. Pingback: Basic Thinking Blog » Wordpress: Ganz schlechtes Releasemanagement

  24. Pingback: WordPress Station » Blog Archive » WordPress 1.5.2 Security FUD

  25. logtar says:

    Upgrading is SIMPLE, got it done, been so lazy lately.

  26. Pingback: WordPress Security Annoyances | no wow

  27. Ryan says:

    I think that your information can interest each developer. The main character is still being Stefan. As for me I appreciate his work.

  28. Catalin says:

    Upgrading is the best solution. After that is important to remove wordpress version from WordPress source.

Leave a Reply

%d bloggers like this: