http://www.techcrunch.com/wp-cache-phase1.php?plugin=shell whooops?

buro9 · on Jan 26, 2010

That's very possibly the vector.

If you can place a .php file in the plugins directory located here: http://www.techcrunch.com/plugins/

And then if you call the script as per your example, then it appears that plugin is loaded (and evaluated).

Someone else more versed in PHP might want to cast their eyes over the wordpress plugin to see whether I'm right: http://wordpress.org/extend/plugins/wp-super-cache/

But it appears it's a case of globals not being checked prior to use: http://php.net/manual/en/security.globals.php

So at first glance and with limited info... it's a plugin. Not that this surprises me, I still use vBulletin and I spend a lot of time code-reading the plugins for that before I use them. Mostly to make sure they don't do silly things like have SQL inside a loop over potentially lots of items, but also for the obvious security holes.

register_globals is an old one though, should be disabled: http://drupal.org/node/222343

olefoo · on Jan 26, 2010

They had register_globals on? @_@

I hope they go for the radical openness option and do a full public post-mortem. A teachable moment like this should not be wasted.

register_globals was known to be a bad idea in 1999 for crying out loud.

raffi · on Jan 26, 2010

phew I don't feel bad now. I wrote a HTML preprocessor in 1999 to allow PHP-like embedding of Perl in webpages. It did the equivalent of register globals. I still have it up on my website but with a big warning that says "this has known security issues, don't use it". At least someone else made the same mistake around that time :)

robotron · on Jan 26, 2010

How do you come to the conclusion that it was because register_globals was turned on?

There's not even a valid reason to turn that setting on, with legacy not even being an excuse.