WordPress File Hosting Flaw

When an application accepts specific kinds of uploads, it should check them for their validity of being the specific kind only. For example, if you want to allow users upload only .doc files, you should be checking the file thoroughly for being a .doc file only. At basic level, there’s no special programming or resources needed, just match the file signature with its extension.
For example, the file signature for .doc (Microsoft documents file) is “D0 CF 11 E0” (ref: File Signatures on Wikipedia)

WordPress allows users to upload only a limited kinds of files like doc, pdf, gif, jpg. But while uploading, it does not check the file signatures but just the extensions. Hence anybody can upload any kind of file by changing the extension, and WordPress will host it.Wordpress allowed file types
If in case WordPress is restricting files like .exe or .rar to be safe from hosting malwares-virus-trojans, they are doing it wrong. Currently we are not concerned about downloading those any-kind-of-files with valid extensions, but with uploading such files to WordPress blog. If we can upload any kind of file without considering the file signature, it may be possible for the bad-guys to upload anything and lure users to download it anyhow. While in the Insert Media menu, they mention ‘Allowed File Types’, instead they should be mentioning ‘Allowed File extensions’ – as they are checking the extensions only.

If we take the case of GMail, while attaching a file, it checks it thoroughly (kind-of!) so that users can’t attach an .exe file. Even if someone zips the exe, it will catch the steganography and skip attaching the file. But in case of WordPress, you are now aware what happens to file upload. Thus Wikipedia can act as a File-sharing site too (not considering the extensions).

Below is a link of Win32.Polip.A virus, which was a .rar file and I uploaded it by altering the extension to .doc. (Download it at your own risk! This is purely a virus and I am not responsible for any harm.)

Polymorphic File Infector Archived File

Bingo!

(I tried to contact WordPress Support, but I read that I need to post that in forums and I can’t contact the support team directly unless I am a paid-customer. Hence, here I am, making this infomation public.)

WordPress Brute-Force Attack

Wordpress attack

Apparatus:

Distributed botnet, around tens of thousands of bots with their respective IP addresses
A pass file of around 1000 entries with some normal passwords
Default username: ‘admin’

Steps:

  • WordPress 3.0 release before 3 years, users going on with ‘admin’ as their default username, and some usual password
  • A brute-force with username: ‘admin’ and password from the above mentioned file
  • The botnet, tries this attack on each and every wordpress portal available over Internet

Objective:

A well-planned distributed attack (just like itsoknoproblembro shook the banking world) against some hot-spot over the Internet.

How:

The wordpress web servers have very high bandwidth, practically unlimited. Any attack triggered from these servers will have a great impact. This can be done to create a better and huge zombie-net.

Conclusion:

Save your wordpress! Change your password if the username is admin (and also, you need to change the username from admin to something else, for being secure).

Some more tips:

If you are using the .com for your wordpress, change your password and enable the 2 step authentication.

If you are the admin of wordpress installation on your server, you have some more steps to follow – like creating a password for the .wpadmin file and some security modifications in the .htaccess file.

More description for making these changes is available here: Hostgator Support for WP Attack