
Object injection vulnerability enables remote code execution in WordPress 3.6 - mathias
http://vagosec.org/2013/09/wordpress-php-object-injection/index.html
======
IgorPartola
An old (2.x) version of WordPress I worked on included an eval() statement
that amounted to basically just doing variable assignment. I am sure there was
some reason for this (probably not a good one), but it turned me off to the
WordPress core. The fact that every WP release is quickly followed up with a
patch for some critical remote code execution vulnerability tells me that
there is something systematically wrong with its handling of user input and
security.

Because of that, I moved off WordPress for personal blogging and onto Pelican
[1]. You can't compromise static content.

[1] [http://docs.getpelican.com/en/3.2/](http://docs.getpelican.com/en/3.2/)

~~~
actionscripted
Pelican isn't exactly client-friendly and has far fewer features than
WordPress. Pelican and the rest of the static-site generators might be great
for developers or tech-savvy folks, but you'd be hard-pressed to sell the
system to the average web client.

~~~
IgorPartola
Exactly, but it's perfect for me. I guess having a WYSIWYG editor and a web UI
would make it more user friendly.

I also like that I can have my content under version control.

~~~
juddlyon
Statamic tries to blend the best of both worlds (client-friendly UI + no
database): [http://statamic.com/](http://statamic.com/)

------
cryptbe
Cool research. I like how you "connect-the-dots" from the benign-looking
MySQL's behaviour to the bad code in Wordpress. This reminds me of
[http://www.suspekt.org/2008/08/18/mysql-and-sql-column-
trunc...](http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-
vulnerabilities/).

I'm surprised that the fix in Wordpress wasn't explicitly marking fields that
need to be serialized/unserialized, instead of second-guessing based on the
broken promise by MySQL.

> MySQL replaces characters it doesn’t recognize (for the given character
> set), with a placeholder. MySQL will sometimes replace byte sequences with
> “?” or “�” (U+FFFD). Such replacements would not be harmful.

This is so wrong. A database must never change any data that it's asked to
stored. Wordpress, and other applications, always make that assumption, and
when it isn't true anymore all hell breaks loose.

PS: it blows my mind that it looks like strpos in PHP could return either
boolean or integer [1].

[1] [http://core.trac.wordpress.org/browser/tags/3.6.1/wp-
include...](http://core.trac.wordpress.org/browser/tags/3.6.1/wp-
includes/functions.php#L0)

~~~
hamburglar
I'm always sort of flabbergasted when I see PHP programmers doing this
"maybe_xyz" stuff. I recall there's a PHP api for escaping stuff that has
weird options for either allowing "double escaping" or ignoring successive
invocations. It screams amateur hour to say "uh, i have a string, and I don't
know if it's escaped yet, so I'll just call this API that escapes it because
it magically avoids 'double escaping' for me." There's no such thing as
"double escaping" \-- it's just "escaping". The fact that you might be
escaping something that appears to be an already-escaped string is irrelevant.
If you are dealing with user input strings and you don't know for sure whether
a string is escaped or not (or how many times), you are probably writing a
security hole somewhere.

~~~
fooyc
While I totaly agree, this is in no way specific to PHP.

Ruby on Rails has such ugliness too, a view helper called "escape_once":
[http://api.rubyonrails.org/classes/ActionView/Helpers/TagHel...](http://api.rubyonrails.org/classes/ActionView/Helpers/TagHelper.html#method-
i-escape_once)

What's crazy is that I can't even find an "escape" helper. Ho it's called
html_escape. Ho and there is a html_escape_once too!

Python Django too:
[https://docs.djangoproject.com/en/dev/ref/utils/#django.util...](https://docs.djangoproject.com/en/dev/ref/utils/#django.utils.html.conditional_escape)

~~~
hamburglar
Fair enough. It's funny how angry I get when I think of someone needing an
"escape_once" function or "is_serialized". I think this discussion might have
to become part of my interview process, because if someone doesn't understand
the absolute undeniable terribleness of trying to determine if a string has
been escaped or serialized by inspecting its contents, then I really don't
want them in my code.

------
satyap
WordPress is the PHP of web frameworks....

I'll be in the corner.

