WordPress Vulnerability:
Take a little time to check.
Take a little time to check.
Seo Egghead has evidently discovered a WP 2.3.1 vulnerability HTML-tainting attacks. (The vulnerability evidently exists in W.P 2.1). The apparent application is to inject ads into bloggers older posts; these would tend to look like paid links. The problems for you would be a potential drop in page rank.
SEO Egghead recommends bloggers check their posts for insserted links to mp3 sites he has discovered at his site, and provides a plugin for this purpose.
I may be wrong, but I think you need to use his plugin. You should be able to get the same information by clicking “manage” in your dashboard, finding the big “search box” and entering ‘adshelper’. Then, click search. WP will return a list of posts containing links to “adshelper”. Next repeat the search for ’softicana’. If both searches return zero pages, you’re clean.
While your at it: why assume these are the only hacker-advertisers? Take a little time and search for words like “mp3″, “casino“, “mortgage”, “viagra” and anything else you can dream up. If you find anything, blog about it so other bloggers can learn and check.
With luck, if my suggested method of testing useless, and you really do need to use the plugin, Seo Egghead will pop in and tell us I’m wrong. (I asked at his blog last night, and I’ll keep checking for an answer .)
Are you wondering how I did?
I seem to be ‘clean’ on both ‘adshelper’, ’softicana’ and a variety of other terms I dreamed up.
Hmmm… Plugin idea
If these sorts of HTML tainting attacks are common, I should probably write a plugin that periodically scans all blog posts for a standard set of blacklist terms, plus terms in the users own blacklist. Monthly checks at all our blogs would let us catch these things and warn others. It would be an easy plugin… hmmm….
If readers do run this test, and any come up “tainted”, I’ll seriously consider writing that plugin. Meanwhile, I need to get through updating all my existing ones first!
Tags:hack security vulnerability WordPress
Related Posts:
- Two tips to avoid Duplicate Content: Robots.txt or Meta Robots WordPress Plugin
- Lucia's Linky Love for WP 2.3: Option to follow trackback immediately.
- Improve Your Better Feed: Wordpress Plugin
- Kontera Control for WP 2.3: Feel Free To Test!
Comments
WordPress Vulnerability: Take a little time to check. was posted on November 1, 2007 - Filed Under |Two Ways To Hide Your Secrets from Google (and Everyone).
You don’t have any secrets? No secret nude photos directory? No directory of your plots to take over the universe? No . . . Wordpress plugins that scream “I post paid links?”
Well, remember that there are people who like to report paid links to Google’s snitch service. Some may know enough to load your plugin folder by typing http://yourpaidlinkblog.com/wp-content/plugins/ into their browser.
If they do, will they see a list of all your plugins?
What’s bad about letting Google snitches see this list?
Well, if you’ve got the “wrong” kind of plugin, the snitch may report you to Google for taking paid posts! (And the snitch is probably correct about the paid links. After all, why else have you installed AutoPaidLinkInsertion.php? )
Google may or may not spank your Page Rank for this, but your advertisers would probably prefer Google didn’t know you were selling paid ads. (And hey, who knows? If the word gets out, some advertisers may start checking your plugins folder to figure out if Google is likely to know you are a link farm. Hiding this list could mean more money for you.)
So, maybe you’d like to prevent snoops and snitches from seeing that list of files?
Here are two easy ways to do it:
- Upload an index.html file to wp-content/plugins. This will hide that file list in /wp-content/plugins. However, you may need to repeat this when you upgrade Wordpress. Also, you won’t hide the listing in any other folders. That may not bother you– unless you are storing something you’d rather keep under wraps.
- Add one or two lines to the .htaccess file. Modifying .htaccess in the root directory can keep snoops from viewing listings in every directory on your site. If you think these snoops don’t exist, read Voyeur Heaven, which I discovered while Stumbling. Obviously, people snoop for many reasons including industrial espionage, curiosity, and, a desire to find porn.
How to modify the .htaccess file
Now, visit your web site using ftp. Find the ‘.htaccess’ file; the ‘dot’ in front is important. Now insert these two lines at the end of the file.
#prevent people from viewing directory listings
Options -Indexes
The first line is an optional comment. The second line prevents people from reading the list of all files when a directory that doesn’t include ‘index.php’ or ‘index.html’ file.
Now, save. Then visit your blog to make sure the blog loads. If it doesn’t, fix the .htaccess file immediately.
You’re done!
From now on, no-one can surf google for ‘index.php’ and discover stuff you might not wish them to see. Click to see how well it worked for me. http://money.bigbucksblogger.com/wp-content/plugins/.
Tags:google htaccess paid blogging paid links security
Related Posts:
- Ten Google Page Rank Haikus
- Five Ways Google Should Know My Posts Do NOT Contain Paid Links
- Posties Paid $100 to Remove Links
- WordPress Vulnerability: Take a little time to check.
