I’ve been informed through the automated annotation service that’s integrated in the popular Spamkarma 2 plugin for WordPress that everybody, regardless of the WordPress version used, should deactivate the “everyone can register” free guest registration immediately, due to security reasons. Apparently there’s a major security hole contained in WordPress in connection to this feature which is not yet closed (and apparently yet no patch available, otherwise the advice would sound different, right?).
Currently I’ve no further details available, but I’ll investigate this issue and will let you know if there’s any news about this.
At the current point of time you should follow this advice (you know, Dr. Dave (the developer of Spamkarma2) is one of the best known and the most valuable WordPress community contributors, so there definitely is an issue if he uses his very own plugin to give such an important advice!
Update: In the mean time, I think I was able to confirm the severity of this issue through mere sniffing through the WP sources. Gosh, I must admit that I never thought that WP could contain such a blatantly silly security error. I’m wondering why it hasn’t been exploited before!
For pretty obvious reasons, I won’t publish any details before there is a fix available, otherwise I’d expose hundreds of thousands of blogs to hackers’ grace. It’s aweful enough that it is so damn easy to trace that issue down once you know what you have to look for.
Update 2: Just to clear things up a little – I have not exploited the leak for real, I just examined the code, and I think I’ve found the code parts DrDaves refers to as being insecure. Regardless of this, whether I’ve identified the correct place for the issue or not, I trust DrDave as the developer of one of the best and most important plugins for WP that has ever been published, that he has thought about the publication of his warning thoroughly before doing so. On the other hand, it is a well known fact that Matt isn’t very fond of any sort of security leak disclosure for WP, and it is as well known that I am not very fond of the way he handles these issues (we’ve crossed swords about this some time ago, when several other issues have been discovered).
And yes, his message refers to WordPress alone, not to Spamkarma2! If it were a Spamkarma2 induced issue, he’d silently have the bug fixed, rolled out a new updated release and would’ve published a notice about an important new SK2 release instead, right? 
5 Pings
Wordpress: Neue oder alte Sicherheitslücke? (Update) [hirnrinde.de - was in unseren Köpfen herumspukt…] sagt:
27.07.2006 von 13:04 (UTC 0 )
[...] Update 27.07.06, 12:50 Uhr Die Faktenlage ist weiterhin unklar, da bisher keine “Stellungnahme” der WordPress-Entwickler vorliegt. Besorgniserregend finde ich allerdings die Beobachtungen von CountZero unter http://www.4null4.de: In the mean time, I was able to confirm the severity of this issue through mere sniffing through the WP sources. Gosh, I must admit that I never thought that WP could contain such a blatantly silly security error. I’m wondering why it hasn’t been exploited before! [...]
Kritische Sicherheitslücke in WordPress - S-O-S SEO Blog sagt:
27.07.2006 von 15:21 (UTC 0 )
[...] Dr. Dave macht einen auf Panik, die Jungs bei WordPress sind über so etwas sicher nicht glücklich, die Kommunikation mit WordPress scheint nicht richtig funktioniert zu haben und viele Blogger werden die Geschichte jetzt durch die Blogosphäre blasen. Einige sind irritiert oder wundern sich, ob es nicht nur ein Problem älterer Versionen ist. Dem ist laut Dr.Dave aber nicht so, alle WP-Versionen scheinen betroffen zu sein. Andere haben geforscht und sind fündig geworden und bestätigen die Gefahr hinter der Meldung. Demnach scheint selbst die 2.1alpha betroffen zu sein. [...]
SEO news » Kritische Sicherheitslücke in WordPress sagt:
27.07.2006 von 15:28 (UTC 0 )
[...] Dr. Dave macht einen auf Panik, die Jungs bei WordPress sind über so etwas sicher nicht glücklich, die Kommunikation mit WordPress scheint nicht richtig funktioniert zu haben und viele Blogger werden die Geschichte jetzt durch die Blogosphäre blasen. Einige sind irritiert oder wundern sich, ob es nicht nur ein Problem älterer Versionen ist. Dem ist laut Dr.Dave aber nicht so, alle WP-Versionen scheinen betroffen zu sein. Andere haben geforscht und sind fündig geworden und bestätigen die Gefahr hinter der Meldung. Demnach scheint selbst die 2.1alpha betroffen zu sein. [...]
The Code Cave sagt:
28.07.2006 von 06:37 (UTC 0 )
[...] Anyway, as you can guess he’s taken plenty of heat for this, because loads of people are now searching for the hole and trying to figure out how to exploit it. Most of these people just want to protect their own blogs. Others might be searching so that they can use this exploit against others. There are certain people I would not like to be right now… [...]
Wordpress 2.2 Security Hole: Identity Theft at Coolkevmen sagt:
07.06.2007 von 17:22 (UTC 0 )
[...] us that the WordPress vulnerablility regarding guest account registration is still there. So the advice given by CountZero must be applied [...]