Last week there was some spam posted to the WordPress core bug tracker. The accounts involved can easily have their access to WordPress.org blocked and their passwords changed to invalidate the cookies used to access the WordPress.org forums. This also stops them from logging into the bug tracker again. However, the trac_auth cookie — the cookie that Trac uses to authenticate a browser to a particular user account after valid login details are provided — is not tied to a user’s password; instead the cookie stores a random string that can be verified against the auth_cookie table in the Trac database. This means that until this cookie expires, when the user closes their browser or 10 days after initial sign-on, the spammer is able to remain authenticated to their WordPress.org profile on core.trac.wordpress.org and can continue to post their spam on the bug tracker.
So, because I was curious (and I had to find something to do other than revision for a machine learning test on Tuesday), I decided to write a short Trac plugin to allow a TRAC_ADMIN user to revoke user cookies. The plugin registers a new administration panel and provides the HTML template for its display. The new panel is just a simple form with a single input for entering the target’s username. After the form is submitted the plugin handles the POST request to delete the row in the auth_cookie table which matches the given name. On future requests to the Trac instance the value stored in the user’s trac_auth cookie will no longer match an entry in the database and so the user will not be authenticated.
The code can be found on github. Currently the master branch and the 0.1 tag can be run with Trac versions greater than 0.12 whilst the develop branch contains a small update to make use of enhancements to the Trac database API in the unreleased Trac 0.13.
I found the process of writing a Trac plugin to be quite interesting and fun. Using my (basic) python knowledge again was a good experience too. I already have a project lined up which requires a Trac plugin to be developed, so this was also a nice, easy way to set up the necessary development environment in advance and get myself acquainted with the API.
A year ago today was the first time that one of my patches was accepted into WordPress core. Just a few days after submitting my first patch and opening my first ticket.
In the past twelve months I have submitted hundreds of other patches and been involved with a few other projects outside of the core. I have also helped it with, if not been one of the causes of, the past four security releases — sorry folks.
It has been truly amazing to be involved with the community and to know that I have helped make software that is used by millions daily. It is also the first time that I can honestly say that I was glad to have had revision to do. In trying to procrastinate and put off doing said revision I decided to contribute to an open source project. I chose WordPress.
My goals for the second year? Firstly to be more involved with the WordPress community; for starters I need to attend my first WordCamp as I feel that I have really missed out on that front so far. Second, to help get more people contributing to the project. This is currently taking the form of being a GSoC mentor this year. Last, and definitely not least, to continue contributing as much as I can to WordPress. This means many, many more patches as well as finding the time to work more on the WordPress API reference.
With the launch of WordPress 3.1 — actually slightly delayed by bug hunting — I am pushing Exploit Scanner version 1.0.
Summary of main changes:
diffs of modified core WordPress files
File hashes for WordPress 3.1
Updated malicious pattern signatures
Core file diffs
The major feature delivered with the new release are diffs of core file changes. This allows you to easily see how a modified file has been changed from the original and identify any malicious code that has been introduced.
These diffs are powered by the same engine that runs the compare revisions feature in WordPress; that is Text Diff from The Horde Project and PHP PEAR.
Understanding the output is relatively simple. First of all the pretty colours quickly show you what has been added or removed from the file in question. Red indicates content that has been removed from the original, unmodified core file. Green highlights lines that have been added to a file. There are also reference numbers along with ‘change commands’ detailing the line numbers affected. There are three of these change commands:
lar — Add the lines in range r of modified file after line l of the original file.
fct — Replace the lines in range f of the original file with the lines in range t of the modified file.
rdl — Delete lines in the range r of the original file; line l is the line where they would have appeared in the modified file if they had not been removed.
This feature works by retrieving the unmodified source file from the WordPress subversion repository and comparing it to the local file using Text Diff. Unmodified sources are cached in the database to reduce HTTP requests and (minimal) extra load on the WordPress.org servers.
Plans for the future
Bug fixing and continued core hash updates as usual. Unfortunately people still seem to encounter problems when running scans, but I never seem to be able to reproduce and pinpoint how the error is occurring. 1.0 adds some error catching code to help track this.
wp-config.php tracking. Changes to core files are easily spotted with checksums and the new diffs feature, but the all important wp-config.php file is not tracked. This probably would not be limited to just the config file, but could be extended to all files that make up your WordPress installation (i.e. plugins, themes, etc.) and would allow you to detect any modifications made from a known clean state à laAIDE.
Over the air signature updates and patches are really interesting to me. I have been toying with the idea providing (semi-)automatic updates to the malicious code signatures and even core patches for security vulnerabilities — though the latter may best be left to the VaultPress team (sidenote: is there going to be a public release of the plugin at some point?). This is the least likely update for the near future and would most probably be an optional feature as it would involve pinging an update server. A pipe dream for now.
Let me know if there is anything you would like – or not like – to see in future versions of Exploit Scanner.
Unfortunately the commits appear to lose sync with the date. There are only four commits in the log for 23 February 2011, but the video shows some from a few days before. However since it took so long to create the video the first time I was not going to try again!
Either send me a random string and tell me to change it once successfully logged in (not great), or send a link to allow me to save a new secret password.
Definitely do not let me believe that my password is being stored in plain text in a database (which is what this situation indicates), instead of being stored after the application of a one-way hash function with salting and stretching.