WordPress 2.3 is falling to bits
By AndrewBoyd • Jun 4th, 2008 • Category: Blogging tips, Recent postsI’ve written a fair bit lately about WordPress 2.5. Whatever the issues are, I think it is fair to say that some people just don’t like it.
A lot of these same people are staying with WordPress 2.3.3 while they wait for version 2.6 to come out.
There is a cost to staying with WordPress 2.3.3 or some earlier version. Apart from GUI differences and potential plugin compatability issues, there is the big one: security.
Michel from Optimiced touched on this issue a short while ago:
OK, I must take my words back and confirm that WordPress 2.3.3, the last stable release before the new WordPress 2.5 branch was released, is not safe anymore, and you can become a victim of the link injection hack (vulnerability).
What happened?
In one of the blogs, which I support (luckily, not my personal blog, which I have upgraded to 2.5/2.5.1 long ago), I have found ‘hidden’ links (code:
<u style="display: none">[ bunch of spam links inserted here ]</u>) in one of the regular posts there.
Interesting, to say the least. There isn’t a lot of information around on this particular vulnerability yet - it seems relatively new.
Smackdown has more detail:
Whereas the WP exploit that Shoemoney and others reported on allowed an attacker to bypass the nofollow routine, and inject search engine friendly spammy links into your comments that were hidden via a <noscript> tag, this one actually creates an entirely new directory, /wp-content/1/, and loads it full of spammy html files containing Javascript redirects in them. You can see the number of affected blogs that Google has already indexed via this query: inurl:wp-content/1/ (cached version).
creative briefing has a very thorough post on a related vulnerability (it may be a different ‘exploit’ or means of exploiting the exact same vulnerability that uses a hidden iframe) - if you are at all concerned, I suggest you read it.
AndrewBoyd is a consultant by day and blogger by night. He loves good food, good wine, and discussing faceted classification schemes with friends.
Email this author | All posts by AndrewBoyd
So now what oh guru of all things I don’t understand???
Are you going to upgrade?
How do find out if there’s a security issue within our own blogs (or maybe I’ll leave that to my other guru’s of all things I don’t understand - Snos & partner?).
Oh favourite guest-poster
Thank you for your comment. I have upgraded this blog to WP2.5 to avoid this sort of issue, and am looking at Injader as a long-term replacement solution.
Snoskred and Admin are more than capable of advising you on how this relates to your blogs specifically - they are very cluey
Best regards, Andrew
WP 2.3.3 was nice, as administration (much simpler and better look, IMHO), but if there are security issues starting to pop up with it, too (a few weeks ago, WP 2.3.3 and 2.5 were both considered quite safe), then only way is to go the 2.5.x way… I can live with the imperfect WRITE section, as long as my blog is safe from attacks!
As for:
…I am not it is so new. Vulnerabilities are know for the 2.3.x series for a long time, I just didn’t hear about a security problem with 2.3.3 till yesterday, but I guess, this version is compromised, too, now… (as I can witness a 2.3.3 hacked blog).
The interesting part is that the links were inserted using a simple U (underline) html tag and made invisible using CSS; and not via some JavaScript calls, or an iframe, or something else. Second interesting thing is that the spam links were published as part of a regular blog post, so it wasn’t a theme hacked… looks like someone was able to edit the post directly.
I am not sure how the attacker made his mischief, I just made a quick upgrade, I cleaned up the ‘infected’ posts, and asked all users (authors) in the blog to change their passwords. Hope these measures will be enough, to fix the problem…
Btw, Andrew, the latest WP is 2.5.1, you should upgrade to it as quick as possible!:-)
And finally, my name’s Michel ( and my blog is http://www.optimiced.com ) so I’d be happy if you make a quick edit in your text… Thanks!
Cheers! :)))
Hi Michel,
thank you for your comment and thank you once again for the backlink.
You now have a name AND a blog in the above
I do need to upgrade to 2.5.1 - I’m still playing with Injader to see if it is an alternative I can cut over to for all of my blogs.
This is an interesting vulnerability - the exploits for it seem to be coming from two different directions - one not using an iframe (that you record) and one that does (that is recorded by creative briefing).
Best regards, Andrew
Hi Andrew
It’s an interesting problem. I did have a link to a Technorati story where they state they will stop indexing the older WordPress versions because of that problem of injected links. here: http://technorati.com/weblog/2008/04/424.html
So there the problems actually start to develop beyond just having these links - it is also a question of whether or not Google reads them and takes action.
cheers
les
Hi Les,
thank you for your comment, and thanks for the link.
I think that any over-linked blog will get googleslapped, i.e. lose all pagerank, which is a pity.
Cheers, Andrew
To be honest, the more I’ve been using wordpress, the more fed up of it I get. I am always hearing stories about wordpress blogs getting hacked etc and how important it is to keep upgrading to the latest version. This is why I’m starting to move more towards blogger because they deal with all that sort of stuff at their end.
I am so confused I have spent days going through the net looking at creating a blog then finally I am half way through signing up with wordpress and I come across this article. HELP!!! Bob you mentioned you are moving more towards blogger - whats blogger???
Hi Tracy,
WordPress 2.6 is somewhat less screwed up than 2.5 (and the failing 2.3) - and blogger is a free/hosted service provided by Google at http://www.blogger.com
Cheers, Andrew