Mega-popular blogging and content management system WordPress has just put out version 3.6.1.
Since it’s a maintenance release (an update from 3.6), it doesn’t have a huge raft of new features, but it does fix three security holes.
One of them is a Remote Code Execution vulnerability reported by a young Belgian web application security researcher named Tom Van Goethem.
Now that the fix is out, Van Goethem has published a very detailed description of the bug and the steps he went through to uncover it.
He also mentions that, by using a popular plugin, he was able to go from vulnerability (“there’s a hole, and it could be risky”) to exploit (“here’s how to use the vulnerability for unauthorised access”).
Fortunately, however, he hasn’t gone down the complete-and-total disclosure route, stopping short of giving you a working exploit and, saying:
Due to ethical considerations, I will not disclose a Proof of Concept of this exploit at this time, as there are too many vulnerable WordPress installations out there.
Van Goethem’s bug relates to PHP serialisation.
That’s where you take data, and perhaps even code, from a programming environment, and convert it into text string representation.
This means it can easily be saved, moved around on a network, and restored later.
It’s called serialisation because even data structures that have a complex layout in memory, such as arrays and tables, end up as a linear (i.e. serial) stream of bytes.
Going back from a serialised text string to live, run-time data inside a program is, unsurpisingly, known as unserialisation.
Any software that inadvertently passes unfiltered, remotely-supplied data into an unserialisation function is taking a bit of a chance, and that’s what was happening inside WordPress.
By the time you get round to validating that unserialised data, it already exists as a live data structure inside a live run-time environment: that’s a bit like dry-firing a handgun as a way of satisfying yourself that it isn’t loaded.
WordPress, which currently claims more than 7.5 million downloads, has unsurprisingly suggested that “you update your sites immediately.”
Note. Sophos Naked Security and the Sophos Corporate Blog are hosted on WordPress.com VIP servers. These servers were already updated by the time we received the advisory email from WordPress [2013-09-12T13:24Z].