There is some misleading FUD going around about a vulnerability in WordPress 1.5.2.
Let’s get this out of the way plainly: There is not a code execution vulnerability in WordPress 1.5.2.
Now, a little more explanation of how this came into question: There was some communication between the person who discovered the problem (Stefan Esser, to the best of my knowledge) and Matt. Matt formulated a fix, which was checked into the repository and which went through a couple of iterations. At some point, Matt posted a new downloadable archive on wordpress.org. But then he realized that the bugfix wasn’t complete. He updated the code again, and posted a new archive for download. At this point, Matt posted the official announcement of the availability of WordPress 1.5.2.
Unfortunately, the security researcher downloaded the faulty 1.5.2 archive (before it was announced, remember), and concluded that the new release was still vulnerable. But again, this is not the case. If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.
The only problem here was one of communication. In the interest of fairness, Stefan acknowledged the update (though in a confrontational manner).
UPDATE: As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.
evidence eliminator software is considered a market leader in forensic hard drive scrubbing. Free instant download of evidence eliminator.
Everyone makes mistakes in code. Our original code was from the PHP manual, which apparently doesn’t work as intended. Stefen sent me two emails with code he said had a “serious bug” before a third one which was correct. We’re all human.
As I was reading this post, the name “Stefan Esser” sounded really familair. Then I remembered where. He’s the guy who publically announced some security vulnerabilities in gaim’s yahoo code before we were able to create a version of the yahoo plugin that both worked and fixed the problem. This forced us to post http://gaim.sourceforge.net/index.php?start=34&limit=1 while we struggled to figure out what part of the yahoo protocol changes (partly fixed in 0.75) we were doing wrong.
Disclosure terms are a constant bone of contention in the security community. Personally, I feel that “security experts” should make every effort to contact developers and give them adequate time (in Real World terms, accounting for weekends, timezones, sleep schedules, etc) to make fixes and announcements before disclosure.
And I’m sure that we WordPress devs could do better about how we address our community regarding security related information, as well.
But then all the ereet security d00ds wouldn’t get credit for discovering such hard-to-find vulnerabilities. (* Removes tongue from cheek)
There seems to be real evidence http://blog.php-security.org/index.php?url=archives/8-WordPress-irresponsible-silent-tarball-update.html&serendipitycsuccess=true#c41 that more than four hours elapsed between the devblog announcement and the updated tarball.
Whilst Stefan’s methods and choice of language leave a lot to be desired, he seems to have a very valid point.
I think over there in my blog I have pretty much proved that I am right.
And the Gaim thing… Yeah Luke, you should tell the whole story, that you guys were insane enough to commit the security fixes and then after 10 days of skript kiddies knowing about the vulnerabilities from explicit commit messages in your CVS i went public with this an warned the users.
Irresponsible people seem to have irresponsible friends.
And btw Dougal: You are obviously getting the whole story wrong:
I contacted Matt about this vulnerabilities AFTER 1.5.2 was released for 2 hours at least. I then learned that nothing was fixed. 7 hours later he had fixed it from my mail. It was not matt who formulated a fix. 2+7 means the vulnerable version was online for 9 hours.
The timestamp of the WordPress 1.5.2 release clearly says that it was posted nearly 5 hours before the replacement tarball was created. With all the timestamps as evidence it is quite hard for you to twist the facts again. Or are you experts in travelling back in time?
Stefan’s language is a bit inflammatory, but I think that he has a valid point. It’s not good development practice to silently rev something that is public without changing the version number. That’s what the version number is for - to communicate changes so that people don’t have to peek inside archives and do MD5’s and such.
In the company where I work, we have tools for uploading packages to a central repository and those tools now disallow uploading a package and overwriting an already-existing version. This is because there were too many complaints from people about the chaos that this practice caused.
Occam’s Razor would suggest to me that this was probably more likely the result of laziness than some kind of marketing conspiracy.
I would humbly suggest that the WordPress developers refrain from this practice for future issues. There is no shortage of version numbers and although it’s a little bit of hassle to bump a version number for a minor change, I think that it’s the necessary thing to do when so many people depend on this software.
By the way, I say this as someone who got his blog hacked because he was slow to apply one of the 1.5 dot release security upgrades.
[...] Dougal Campbell: WordPress 1.5.2 Security FUD [...]
WordPress Security Annoyances
As if the unprofessional handling of WordPress security announcements (see Another WordPress Security Update and More on Security Announcements) wouldn’t be bad enough, the WordPress developers also seem to have problems with organizing releases…
http://marc.abramowitz.info/archives/2005/08/17/my-opinion-of-the-wordpress-152-debacle/ Randy: If I were a Wordpress user, then I’d upgrade to something else. The latest stream of problems makes Windows Update look like cake. More… Dougal Campbell: WordPress 1.5.2 Security FUD PHP Security Blog: Irresponsible silent tarball update
ve taken any time to engineer a quality piece of software. Don’t get me wrong, I’ve enjoyed using WordPress and I think it’s a great program. Shame it seems to be a bit of a mess behind the scenes. Update: If this is true then I’ll be a bit happier about what happened with regard to 1.5.2’s versioning. I’m still wary of all the security updating going on, though. There just seems to be way too much of that lately.
I stand corrected. I didn’t double-check the timestamps, and I juggled things around somewhere. I definitely wasn’t trying to mislead anyone about the facts, so I don’t appreciate Stefan implying that I deliberately lied.
And as I’ve already said, I think that we could definitely improve how we handle security announcements and updates.
But I still don’t think that Stefan handled things very well, either. We definitely appreciate reports of bugs, especially ones which are security-related. But I don’t think it’s unreasonable to expect a certain level of professionalism from those who report them.
A lot of of this is besides the point. The main thing I wanted to point out is that the current version available for download at this time does not have the vunerability. It’s unfortunate that a faulty version was up for any amount of time and that the corrected package didn’t get a new version number. This isn’t the first time that’s happened, but I hope it will be the last.
[...] The current defense the developers are presenting is that the package was revised before any announcement of its availability was made. That’s a straight lie. I have nothing against WP and I’ve been part of this wonderful community for a long time now, but let’s keep the facts straight. I saw the announcement on the WP dev blog very late at night here in Manila, and I downloaded my copy the following morning, around 10AM. The gzipped file that I have does not contain the current fixes to wp-settings.php, and I compared it with another copy I just downloaded. I patched all my sites with the first, incorrect package. [...]
Dougal, releasing the updated package as version 1.5.2.1 or whatever unique version number would’ve been more advisable. It removes any confusion concerning the quality (with respect to the reported vulnerability) of the code that is within the hands of the users. I had 1.5.2, but I didn’t know I was still vulnerable.
I don’t like the idea that the ends justify the means. I see a lot of people saying that they don’t agree with the way Stefan behaves but appreciate his work. While I can agree that he often makes a positive impact, I don’t think it’s unreasonable to expect more mature behavior. The point is, Stefan could make a really positive impact, but the harm he does often matches the good he does. With a bit more professionalism, he could do really great things for us all. I do appreciate his work, but I can’t help but be very disappointed with his behavior. And I’m not just talking about the way he talks, but also his actions.
I won’t point to specific instances, but he has a habit of public disclosure before a vulnerability has been fixed. There have even been cases where he has done this before notifying the developers. In cases where he does contact the developers first (like this one), he likes to publicize an exploit in the wild (if there is one) or “warn” users of the vulnerability, claiming that nothing short of irresponsibility could be the reason that no fix is available yet. This does not help.
So, while I find fault in the way Wordpress handled this particular event, I can’t excuse Stefan’s irresponsible and immature behavior. I say foul.
LOL @ Stefan (not Esser)
I wish people like you would not make things up to get arguments. Show me an instance, where I have disclosed stuff before the developer was contacted.
donde comenta que el equipo de WordPress subió una versión no-corregida de WordPress 1.5.2 y que después de que notaron el error subieron la versión que corregÃa los graves problemas de seguridad en versiones anteriores. Después de ésto, Dougal Campbell desmiente dichas acusaciones , negando rotundamente que se hayan descubierto graves problemas de seguridad en WordPress 1.5.2 y calificando las acusaciones como una campaña de miedo, inseguridad y duda contra WordPress. La cuestión estuvo asÃ, según Dougal:
Well, I fully agree with your comment.
BTW: I visited your blog earlier today and I just wanted to congratulate you on a well presented, and informative resource.
It’s not often that I come across a web site that offers a wealth of quality.
Martin (aka POS Software Man)
[...] Due to a security issue uncovered after the initial announcement of version 1.5.2 of WordPress, anyone who downloaded it late Sunday night (August 14, 02005) should check that they have the latest version of wp-settings.php, according to the WordPress Development Blog, and this interesting post and comments in Doug Campbell’s Geek Ramblings blog. [...]
A similar rant about WordPress security by Martin Geisler can be found on his blog. His advice: “Remember to upgrade any installation you might haveâ€. Dougall Campbell, a developer for WordPress, responds to what he sees as a campaign of fear, uncertainty and doubt against the 1.5.2 release. Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include, but that the situation was rectified before the initial announcement of the
How do i know if my WP 1.5.2. is ok or not?
[...] dear guys from Wordpress, dont mess with good versioning and information policy. Regarding the security story with WP 1.5.2, your reaction, still missing an official statement, i am somehow disappointed, that your information policy is that bad. Is it that hard to report all relevant news onto wordpress.org? [...]
[...] Dougal Campbell writes at hisgeek ramblings about the confusion and clarifications regarding the most recent security update, 1.5.2. [...]
Upgrading is SIMPLE, got it done, been so lazy lately.
m putting in the basement is a little darker than what we have upstairs. Solar-Powered Toyota RSS Version 3 Specs Up for Review GUIdebook > Articles > Interview with John Gruber Movie theater owners fire back at studios - Yahoo! News geek ramblings - WordPress 1.5.2 Security FUD - I’m afraid Dougal is on the wrong side of this one, Version Numbers are Cheap Asterisk: The Greasemonkey of Telephony Talk About Service - my pleasure Steve. Ambrosia Software, Inc. — utilities/easy envelopes
[...] comments from the WordPress crowd are a bit weak in my opinion. If there’s FUD about WordPress’ [...]