Stop SOPA, Stop PIPA, Stop Censorship
Update: Now that SOPA has been put on the back burner, the next thing to protest is the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty which could have massive repercussions on the freedom of the internet.
Update 2 (5 July 2012): ACTA rejected by EU :)
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
[vimeo http://vimeo.com/31100268 w=600]
This is my favorite anti-SOPA song so far:
WordPress.com Hacked and Rooted (but not exposed?)
WordPress.com (the blog hosting platform) was compromised by hackers using an undisclosed vulnerability. My guess is the attackers found an unpatched server somewhere, and used that to get into the environment. Information from Automattic is limited, but they’re assuming that source code and other information was probably stolen. Nobody has come forth to claim the hack, or post WordPress’ source code and account information online, Gawker-style.
If you have a blog on WordPress.com, I recommend changing your password there (and on any other site where you may have used the same password). If you host your own WordPress blog, there isn’t cause for concern just yet as there are many ways that the hackers could have gotten root access, so the vulnerability used may not be within the WordPress software itself.
I’ll update this post should any more information come to light.
WordPress 3.1.1 Patches Minor XSS Flaws
WordPress have released a minor 3.1.1 update which patches an XSS flaw on the database upgrade screens. The change log also mentions a strengthening of security mechanisms relating to media uploads, and fixes to potential PHP crashes caused by complex hyperlinks. The update also includes a number of other security and bug fixes.
It’s a fairly minor update that shouldn’t break any plugins. Update when ready.
WordPress 3.1 Released
WordPress “Reinhardt” 3.1 has been released, with the bulk of changes focused on the admin interface and functionality. Key improvements include:
- A redesigned linking workflow
- A funky new admin bar (hopefully it’ll be possible to customize this one)
- A streamlined writing interface
I particularly like the new linking functionality, which simplifies linking to internal posts and pages on your site (screenshot below). No more having to find that page, and copy/paste the URL!
I was a bit apprehensive about updating, as it’s quite easy for plugins to break, and there’s no easy way to see the compatibility status of your plugins. If anyone feels up to it, I’d like to see a plugin that allows you to quickly check the compatibility status of all your installed plugins with regard to the next available version. That said, I updated, and it went flawlessly.
Other than that, this update does not have a significant impact in terms of security apart from the usual bug fixes.
WordPress 3.0.5 Update Fixes Security Issues
WordPress 3.0.5 has been released, and is primarily a security update focusing on vulnerabilities which can be exploited through untrusted user accounts. This follows the recent 3.0.3 and 3.0.4 updates which were also security-focused. If your WordPress installation does not have any non-admin users, then this update is less urgent, however it is recommended that you update as soon as possible anyway.
Here is a description of the five main updates:
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.
WordPress 3.1 is currently at RC4 and is expected to be officially released soon.
WordPress 3.0.4 Patches XSS Flaws in HTML Sanitation Library
WordPress have released an update (3.0.4), dubbed “the most important security release of the year”, that patches a core security bug in the HTML sanitation library (KSES). KSES is responsible for filtering user input and, as such, is used to protect WordPress sites from attacks such as Cross-Site Scripting (XSS). XSS vulnerabilities were discovered, however the details of these are not available (see below).
They rate this release “critical”, and so it’s recommended that all WordPress sites update as soon as possible. The full changeset for the 3.0.4 update is here. Security researchers are invited to review these changes to ensure the vulnerabilities have been fully fixed. Spread the news if you have any friends with a WordPress blog!
[Updated] One stored XSS exploit for 3.0.3 is available here.
WordPress 3.0.3 Fixes Authorization Issues
Hot on the heels of the previous update that patched an authenticated SQL injection vulnerability, WordPress have released version 3.0.3 which fixes authorization issues in the remote publishing interface. The vulnerability may allow Author and Contributor-level users to improperly edit, publish, or delete posts. WordPress state:
These issues only affect sites that have remote publishing enabled.
I would also add that these issues only affect sites that actually have Author and Contributor-level users. If you’re the only user of your blog, you don’t need to be worried (but update anyway).
Remote publishing is enabled and disabled in Settings > Writing > Remote Publishing.
WordPress <= 3.0.1 Authenticated SQL Injection 0day [Patched]
WordPress 2.x – 3.0.1 is vulnerable to an authenticated SQL injection 0day. A lack of proper input validation in the do_trackbacks() function of wp-includes/comment.php allows any logged-in user with publish_posts and edit_published_posts privileges (Author group) to execute arbitrary SELECT SQL queries on the database.
This vulnerability can be exploited by entering a specially-crafted string into the Send Trackbacks field when editing a post. The effect of exploitation is that the user may be able to extract arbitrary information, such as usernames and password hashes, from the database.
What this means to WordPress users:
- If you are the only user (post author) on your blog, then you don’t have to worry.
- If you have other users Author privileges, then they could use this to extract information from your database (including your password hash).
- You can temporarily mitigate this by revoking Author privileges from any users you don’t fully trust.
- All WordPress users are encouraged to update to version 3.0.2 which patches this vulnerability.
See this post for full details.