Backup of David's Livejournal

Adventure of the XSS wp_footer() PayPal exploit

How hard do I rock?  Let me give you an example.

Date:  The near future.

Scene: David's blog, a jewel of php code, with a few custom modifications to the WordPress framework.  Does anybody else have an <image> element in their <channel> in their feed-rss.php family?  Doubtful.  Oh, how about user friendly "there's more content this way" ellipses in their wp_trim_excerpt() function in their formatting.php?  Ha!  The world would be so much nicer if only they did.

But what's this?  There's danger brewing.

A vulnerability in the pingomatic server unleashes a feedback ping ripping a hole via XSS into every single wp_footer().  Everybody who posts, pings.  And everybody who pings gets spam added to their footer.  And everybody who pings suffers a debit from their PayPal account.

Never fear!  Matt Mullenweg's team of crack coders patches the hole the exploit accessed in the WordPress code.  But now WordPress users across the world must scramble to follow the tedious upgrade instructions.  And then re-apply their custom changes.

Oh, the humanity!  Why isn't David panicking?  Why isn't he in despair?  Doesn't he realize the danger to his blog?!  Doesn't he realize the tedium that awaits him?

Let's zoom in and see what he's doing...

David grabs a few dark chocolate covered espresso beans, and casually pops them into his mouth.  He ssh logs into his blog's directory.  He types,

svn sw

and logs out.  He's done.  His blog is updated, protected, and his customizations are intact.  He turns up his MP3 player and goes outside to enjoy the sun.

(In other words: My blog is now a subversion sandbox.  Whee!)

[Edit January 17 2011]: The above story is over three years old and is fiction, based loosely on real-life events.  Dark chocolate covered espresso beans really are delicious, though.  Some other things have changed since 2007.  Notably:
  • Backdoors installed into your Wordpress blog aren't automatically removed when you simply update the sources.  There could be eval() calls in your downloaded theme or in database table rows, for example.
  • Deploying your working Version Control System sandbox onto the web isn't a good idea.  Make your changes in your sandbox, and follow a deploy procedure that gets the desired files onto the server.
  • Wordpress now has an automatic update feature.  You can update Wordpress's source code from its control panel.


 pastilla on Dec 4th 2007 at 3:06 PM
:: daemon morphs into a penguin with glasses ::

 dblume on Dec 4th 2007 at 5:54 PM
I get insanely happy about the dumbest things. The stuff above about my customizations, and how tedious it made upgrading was true. So making it a sandbox really helps. This was as good as sorting out the garage.

 superflytrap on Dec 4th 2007 at 5:56 PM
Think you can re-explain for the layman? Or in my case, the Lame-man?

 dblume on Dec 4th 2007 at 6:29 PM
WordPress (and some of its themes), the engine I use for my blog, really has suffered XSS and wp_footer() exploits. So everybody who hosts their own WordPress blog has to get the patches when they come out. (See the link to the tedious instructions above.) It's even worse if you customize the engine like I do. Making my blog run directly out of a subversion sandbox means that updating to the latest (or any specified) code (while retaining my changes) can be done in one easy step. I rock. (Well, automattic rocks, actually, for enabling me to rock.)

 tpederson on Dec 11th 2007 at 10:31 PM
Even though you'll have to explain this to me later to fully understand how much you rock, it's nice to see someone so happy with them self. I strive for that very same feeling my friend. I heard some of the little people today saying "Yeah I'm in a subversion sandbox too... OK well sort of. Oh God, I don't even know what subversion sandbox is, I'll never be like Dave".

 (no name) on Jan 1st 2011 at 5:00 PM
This is the coolest website and stories that i have ever read&its useful for me as im a lecturer and always motivate my students with these publised stories&thank you &and waiting for plenty more&

 (no name) on Jan 17th 2011 at 10:43 AM
I just cant stop reading this. Its so cool, so full of information that I just didnt know. Im glad to see that people are actually writing about this issue in such a smart way, showing us all different sides to it. Youre a great blogger. Please keep it up. I cant wait to read whats next.

 (no name) on Jan 17th 2011 at 11:10 PM
Superb blog post, a bunch of great data. I am about to show my girlftriend and ask them what they think.