{"id":8135,"date":"2015-04-27T17:25:13","date_gmt":"2015-04-27T21:25:13","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=8135"},"modified":"2015-04-27T17:25:13","modified_gmt":"2015-04-27T21:25:13","slug":"just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites-updated","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/27\/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites-updated\/","title":{"rendered":"Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]"},"content":{"rendered":"

Our blog was not affected…NCCT<\/em><\/p>\n

Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below.<\/p>\n

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.<\/p>\n

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.<\/p>\n

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynn\u00f6nen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”<\/p>\n

The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text\u2014about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn’t automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.<\/p>\n

Here’s a video of the proof-of-concept attack in progress:
\n