Trac Cookie Revocation

Last week there was some spam posted to the WordPress core bug tracker. The accounts involved can easily have their access to blocked and their passwords changed to invalidate the cookies used to access the forums. This also stops them from logging into the bug tracker again. However, the trac_auth cookie — the cookie that Trac uses to authenticate a browser to a particular user account after valid login details are provided — is not tied to a user’s password; instead the cookie stores a random string that can be verified against the auth_cookie table in the Trac database. This means that until this cookie expires, when the user closes their browser or 10 days after initial sign-on, the spammer is able to remain authenticated to their profile on and can continue to post their spam on the bug tracker.

So, because I was curious (and I had to find something to do other than revision for a machine learning test on Tuesday), I decided to write a short Trac plugin to allow a TRAC_ADMIN user to revoke user cookies. The plugin registers a new administration panel and provides the HTML template for its display. The new panel is just a simple form with a single input for entering the target’s username. After the form is submitted the plugin handles the POST request to delete the row in the auth_cookie table which matches the given name. On future requests to the Trac instance the value stored in the user’s trac_auth cookie will no longer match an entry in the database and so the user will not be authenticated.

Revoking a trac_auth cookie

The code can be found on github. Currently the master branch and the 0.1 tag can be run with Trac versions greater than 0.12 whilst the develop branch contains a small update to make use of enhancements to the Trac database API in the unreleased Trac 0.13.

I found the process of writing a Trac plugin to be quite interesting and fun. Using my (basic) python knowledge again was a good experience too. I already have a project lined up which requires a Trac plugin to be developed, so this was also a nice, easy way to set up the necessary development environment in advance and get myself acquainted with the API.

This entry was posted on 26 October 2011.

One year in core

A year ago today was the first time that one of my patches was accepted into WordPress core. Just a few days after submitting my first patch and opening my first ticket.

Changeset 14057

In the past twelve months I have submitted hundreds of other patches and been involved with a few other projects outside of the core. I have also helped it with, if not been one of the causes of, the past four security releases — sorry folks.

It has been truly amazing to be involved with the community and to know that I have helped make software that is used by millions daily. It is also the first time that I can honestly say that I was glad to have had revision to do. In trying to procrastinate and put off doing said revision I decided to contribute to an open source project. I chose WordPress.

My goals for the second year? Firstly to be more involved with the WordPress community; for starters I need to attend my first WordCamp as I feel that I have really missed out on that front so far. Second, to help get more people contributing to the project. This is currently taking the form of being a GSoC mentor this year. Last, and definitely not least, to continue contributing as much as I can to WordPress. This means many, many more patches as well as finding the time to work more on the WordPress API reference.

This entry was posted on 10 April 2011.

Announcing Exploit Scanner 1.0

With the launch of WordPress 3.1 — actually slightly delayed by bug hunting — I am pushing Exploit Scanner version 1.0.

Summary of main changes:

  • diffs of modified core WordPress files
  • File hashes for WordPress 3.1
  • Updated malicious pattern signatures

Core file diffs

The major feature delivered with the new release are diffs of core file changes. This allows you to easily see how a modified file has been changed from the original and identify any malicious code that has been introduced.

These diffs are powered by the same engine that runs the compare revisions feature in WordPress; that is Text Diff from The Horde Project and PHP PEAR.

Understanding the output is relatively simple. First of all the pretty colours quickly show you what has been added or removed from the file in question. Red indicates content that has been removed from the original, unmodified core file. Green highlights lines that have been added to a file. There are also reference numbers along with ‘change commands’ detailing the line numbers affected. There are three of these change commands:

  • lar — Add the lines in range r of modified file after line l of the original file.
  • fct — Replace the lines in range f of the original file with the lines in range t of the modified file.
  • rdl — Delete lines in the range r of the original file; line l is the line where they would have appeared in the modified file if they had not been removed.

This feature works by retrieving the unmodified source file from the WordPress subversion repository and comparing it to the local file using Text Diff. Unmodified sources are cached in the database to reduce HTTP requests and (minimal) extra load on the servers.

Plans for the future

Bug fixing and continued core hash updates as usual. Unfortunately people still seem to encounter problems when running scans, but I never seem to be able to reproduce and pinpoint how the error is occurring. 1.0 adds some error catching code to help track this.

wp-config.php tracking. Changes to core files are easily spotted with checksums and the new diffs feature, but the all important wp-config.php file is not tracked. This probably would not be limited to just the config file, but could be extended to all files that make up your WordPress installation (i.e. plugins, themes, etc.) and would allow you to detect any modifications made from a known clean state à la AIDE.

Over the air signature updates and patches are really interesting to me. I have been toying with the idea providing (semi-)automatic updates to the malicious code signatures and even core patches for security vulnerabilities — though the latter may best be left to the VaultPress team (sidenote: is there going to be a public release of the plugin at some point?). This is the least likely update for the near future and would most probably be an optional feature as it would involve pinging an update server. A pipe dream for now.

Let me know if there is anything you would like – or not like – to see in future versions of Exploit Scanner.

This entry was posted on 27 February 2011.

Road to WordPress 3.1

WordPress 3.1 is finally here!

Of the new features that arrived today, a few of my favourites are:

  • Internal linking
  • Improved WXR import/export (well it had to be on my list)
  • Admin bar, just because of the awesome Debug Bar plugin

The following is a visualization of all the commits made to WordPress up until the release of 3.1:

The video was made using Gource on a checkout of the whole WordPress repository using the following commands.

`gource --log-command svn` > svn.log
gource --user-image-dir gravatars --disable-progress --stop-at-end --highlight-users -s 0.1 --date-format '%A, %e %B %Y' --output-ppm-stream - svn.log | ffmpeg -b 3000K -r 60 -f image2pipe -vcodec ppm -i - -vcodec libx264 -vpre medium wp-gource.mp4

Unfortunately the commits appear to lose sync with the date. There are only four commits in the log for 23 February 2011, but the video shows some from a few days before. However since it took so long to create the video the first time I was not going to try again!

Time to start work on 3.2!

This entry was posted on 23 February 2011.

Password reminders or: How not to instill confidence

Please do not do this:

Password reminder email

Either send me a random string and tell me to change it once successfully logged in (not great), or send a link to allow me to save a new secret password.

Definitely do not let me believe that my password is being stored in plain text in a database (which is what this situation indicates), instead of being stored after the application of a one-way hash function with salting and stretching.

This entry was posted on 17 January 2011.