- Oct. 31st, 2007
- 17 comments
Update: WP developers are looking into this now . . .
The current version of WordPress (also 2.1-2.3.1 verified so far) is apparently vulnerable to an HTML-tainting attack. I first noticed it on this blog in the next-to-top post. I've actually been on a vacation of sorts, but I monitor changes to my web site carefully. WordPress.org has been notified, but I feel that releasing only the existence of the potential vulnerability is ethical. I have also created a a tool to audit for this attack (see "How Do You Know If You're Affected?" below). Others' equity is at stake here as well!
Though I don't know the exact mechanism yet, I have some ideas based on my logs, and I have a high degree of confidence it's WordPress-specific hack (or perhaps a very popular plug-in) for the following reasons:
0. The links are clearly pathological and deliberately concealed visually using CSS.
1. All exploited sites are running WordPress.
2. The sites are on various shared-hosting and dedicated-hosting in various places around the internet (it's not a particular hosting company).
3. The HTML-tainting appears in the actual database record (at least in my case) for the post; and that's not generally the easiest approach for this sort of attack.
Example HTML Insertion Attack:
<div id="mnu1″ style="overflow: auto; position: absolute; z-index:
1; left: -500px; text-indent: -500px; width: 600px; text-align:left">
Where <a href="http://www.adshelper.com/">
download mp3 music</a>? It's ;obvious.<br /> Fast downloads& and super high quality… ;<br />Try to guess, what's the best site to <a href="http://www.my-movie-download.com/">
download movies</a>? Yes, that's right.<br /> I
recently downloaded few films with super high quality.
The outbound links appear to point to the following domains:
ADSHELPER.COM (WHOIS RECORD NOT PRIVATE)
SOFTICANA.COM (WHOIS RECORD PRIVATE; GODADDY; TO INFORM GODADDY OF SPAM USE THIS LINK)
How Do You Know If You're Affected?
I'm writing a quick-and-dirty WordPress plugin to scan your blog for the signature of the HTML-tainting. Install it. It will email you with the affected post IDs if you've been hit (Note: IT SHOULD WORK NOW …).
What Can We Learn From this?
The Domain and URL have an equity, and black hatters are always looking for a way to exploit that. One must be vigilant to protect this equity by monitoring for attacks like this, as it can be particularly harmful to your rankings as well. HTML insertion attacks in general are also documented in my book:
Affected WordPress Versions
Prominent Affected Sites
http://warpspire.com/hemingway : WordPress 2.3-alpha
http://www.cartoonbrew.com/ : WordPress 2.1
http://www.powazek.com/ : WordPress 2.2
http://www.freekareem.org/ : WordPress 2.2.1
http://www.smallbiztrends.com/ : WordPress 2.2.1
http://blog.modernmechanix.com/ : WordPress 2.1.2
http://www.bittbox.com/ : WordPress 2.2.1
http://www.ethanzuckerman.com/blog/ : WordPress 2.2.1
http://www.tjcenter.org/ : WordPress 2.1.2
http://www.cato-at-liberty.org/ : Signature Removed
http://www.smstextnews.com/ : WordPress 2.1.3
http://blog.ianbicking.org/ : WordPress 2.2.1
http://www.searchviews.com/ : WordPress 2.2
http://www.dreammanifesto.com/ : WordPress 2.3.1
http://www.zeldman.com/ : Signature Removed
http://www.mysqlperformanceblog.com/ : WordPress 2.3.1
http://blog.oup.com/ : WordPress 2.2
http://weblog.philringnalda.com/ : WordPress 2.3.1
http://blog.everythingflex.com/ : WordPress 2.1.3
http://www.darfur-awareness.org/ : WordPress 2.2
"17 Wise Comments Banged Out Somewhere On The Internet ..."
[...] Sirovich over at SEO Egg Head today reported that on returning from holiday he found that his blog had been hit by what he calls [...]
[...] Seo Egghead has evidently discovered a WP 2.3.1 vulnerability HTML-tainting attacks. (The vulnerability evidently exists in W.P 2.1). The apparent application is to inject ads into bloggers older posts; these would tend to look like paid links. The problems for you would be a potential drop in page rank. [...]
[...] was looking at a SEO blog I read and I found this article SEO Egghead by Jaimie Sirovich Â» Latest WordPress 2.3.1 Apparently Vulnerable To Hackers. Looks like in the current version of Wordpress people can upload HTML and hijack your blog and [...]
Search Engine Optimization Direct » Blog Archive » Latest WordPress 2.3.1 Apparently Vulnerable To Hackers
[...] fiLi article is brought to you using rss feeds.Here are some of the top articles on search engine optimization.The current version of WordPress (also 2.1-2.3.1 verified so far) is apparently to be vulnerable to an HTML-tainting attack. I first noticed it on this blog in the next-to-top post. I've actually been on a vacation of sorts, … [...]