Archive for the “Wordpress” Category

A few days ago I started to write since some time a Plugin for WordPress again, for a customer. As I read over on WordPress you shall declare the files as UTF-8, but I would have changed it myself as well. Now after some initial testings I encountered this Problem:

Warning: Cannot modify header information - headers already sent by (output started at /xampp/htdocs/blog/wp-content/plugins/phRelatedLinks.php:1) in /xampp/htdocs/blog/wp-includes/pluggable.php on line 776)

Ah yeah…some known Problem within the WordPress Universe and the PHP one as well, caused by the Problem that infront of the starting < ?php are some other signs. Now when WordPress wants to send the header Information of the Page the whitespace/sign was already sent, but the header needs to be the first part of the website which is sent…therefore PHP throws this error.
Unfortunally this wasn’t the case for my Problem. As I had no clue what it could be else I searched for some time, and anything I could find told it’s a problem with leading signs before < ?php. Luckily I found this Post with the same Problem, which solved it.

While saving my file with SciTE as UTF-8, SciTE added a Byte Order Mask to the file, which isn’t needed at all as UTF-8 doesn’t encounter differences between big-Endian & little-Endian. Anyway it’s now widely used to easily tell apart UTF-8 and ISO-8859. So if a file contains as starting Bytes: EF BB BF it’s (mostly) a UTF-8 formatted file. But as these Bytes aren’t displayed within SciTE at all, you can go crazy with it. To write a file without this optional BOM you need to select as Encoding UTF-8 Cookie within SciTE.

Now the real cause was found, and it wasn’t WordPress who tried to drive me crazy at all. A look within PHP revealed that PHP isn’t able to interpret these Bytes as mark for a following UTF-8 Encoding. The related Bug Post was closed as won’t fix for PHP 5/4, the correct behavior will be implemented with PHP 6+.

In the meantime I hope that not too many other people will encounter that Problem and if, they’re able to find the solution faster than me!

Tags: none

Tags: Byte Order Mask, PHP, UTF-8

Comments 3 Comments »

As you surely recognized from php-ids.org and BlogSecurity.net already I made a new release of WPIDS. This release fixes several problems with the usability of WordPress, further it fixes some internal bugs and WPIDs comes now with HTML Purifier.

At least one minor release is supposed to happen before entering v.2.0 of WPIDS, as some Problems were reported for the current version. The upcoming Version .2 will be completely rewritten. It will offer more granular Option settings than before, it will give you more information and a much better Documentation will take place as well.

If someone is interested into Beta Testing the latest Version feel free to contact me.

Tags: none
Tags: WPIDS

Comments 2 Comments »

Problems

I just checked my Blog today and what did I notice? At First my Template was set back to the default one, don’t know what caused that…but mostly it has the same reason as the cause of this MySQL error:
WordPress Database Error: WordPress isn’t able to create the following temporary SQL file #sql.2076.txt
or something like that was the Message. I was surprised, as well as I had no clue what the cause was. So I started a search on my Server to find some tmp folders, and luckily I found some. I changed to the /tmp dir, and there was already some #sql file in it. After I dropped the file everything was working fine again. The reason for this issue was mostly caused by the latest Server restart, maybe it was restarted after the file was created, but before the file was dropped again…At least that would it explain for me, as the file wasn’t there any more although after several visits of my website.

New WP version

Since one day there’s a new WordPress Version of the latest trunk available, the version 2.3.2 fixes a possible XSS attack, as well as several information leaks are closed. One of the biggest surprises(positive ones) is that WordPress Error messages are now only displayed if your Blog runs in WP_DEBUG mode, so it’s now by default not so easy to gain Informations about your Database structure in order to perform successful SQL Injection attacks on your Website.

So anyone who runs already WP 2.3 should upgrade to the latest release in order to have the biggest possible Protection. For everyone who uses an earlier version, should run BlogSecurity’s bs-wp-noerrors to have this feature as well.

Download WordPress 2.3.2

Tags: none
Tags: BlogSec, release, Security, Wordpress

Comments No Comments »

Ever got Comments you don’t understand, because they’re in some language you’re not able to speak? Ever asked why someone writes a Comment in Russian to some post, which is let’s say written in english, german, french or whatever( at the same time I want to notice that I don’t talk about Comments made to some .de, .fr, .ru Blog, in the depending language where the owner of the Blog is able to speak that language as well. Where a commenter could believe it would be better to write in their native language as possible missunderstandings could be avoided because of better knowledge of this language).
What could be the reason to behave like that? In general they should be able to write some basic text in english, german, french, as it seems that they’re able to read the text, quite good enough to be able to add their own comment/opinion. So why don’t they do so?

Let’s try to get behind the reason. Following I’ll show you how I handle comments in languages I don’t understand, with an example I received the last day:

The Comment

So let’s take a look at the given Comment(to avoid contribution to this Spammer/Hacker, I replaced some Data):
1000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 2 ?´?¾?»?»?°Ñ€?° 5000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 8 ?´?¾?»?»?°Ñ€?¾?² 10000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 13 ?´?¾?»?»?°Ñ€?¾?² 50000 Ñ„?¾Ñ€Ñƒ?¼?¾?² 50 ?´?¾?»?»?°Ñ€?¾?²
?‘?¾?½ÑƒÑ? ?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ ?´?»Ñ? Ñ‚?µÑ… ?ºÑ‚?¾ ?·?°?º?°?¶?µÑ‚ 20000 Ñ„?¾Ñ€Ñƒ?¼?¾?² ч?µÑ€?µ?· ?½?µ?´?µ?»ÑŽ ?¿?¾?²Ñ‚?¾Ñ€?½?°Ñ? ?¾Ñ‚?¿Ñ€?°?²?º?°
? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: ч?µ?»?¾?²?µ?º ?º?¾Ñ‚?¾Ñ€Ñ‹?¹ ?¿Ñ€?¸?²?µ?´?µÑ‚ ?¼?½?µ ?º?»?¸?µ?½Ñ‚?° ?±Ñƒ?´?µÑ‚ ?¿?¾?»ÑƒÑ‡?°Ñ‚ÑŒ 10% ?¾Ñ‚ ?·?°?º?°?·?° ?º?»?¸?µ?½?º?°!!!
?ž?±Ñ€?°Ñ‰?°Ñ‚ÑŒÑ?Ñ? ?² ?°Ñ?ÑŽ 3?¿Ñ?Ñ‚ÑŒ3-8ш?µÑ?Ñ‚ÑŒ7-0?½?¾?»ÑŒ1 ?¼Ñ‹?»?¾ mymail(?³?°?²)example.com

That one made me curious as there are quite some numbers added, as well as an additional email is added which doesn’t fit to the input in the Email field. Let’s check that Comment by translating it in our native language or some language we understand.

Translating the Comment

In general I can recommend to translate it into your native language, as you mostly understand that one best. On the other hand the chosen translator, has maybe your language not available(or the dictionary is quite limited), or it’s not possible to translate between these languages directly.

You should avoid to have the text translated more than once before it’s in some language you understand, as the general problem with automatic translations are: that not the best sentence structure and word choosing is done. So you could end upon two or three translations steps within some nonsense text(that wouldn’t be better). The best way maybe, to let it translate to English, and if you don’t understand some english words let them be translated to your native language.

for the example above we would get something like that:
1000 forums 2 dollars of 5000 forums of 8 dollars of 10000 forums of 13 dollars of 50000 forums of 50 dollars the Bonus the offer for those who will order 20000 forums in a week repeated sending ? ?µÑ„?¿Ñ€?µ?´?»?¾?¶?µ?½?¸?µ: the person which will result to me the client will receive 10 % from the order ?º?»?¸?µ?½?º?°!!! To address in ?°Ñ?ÑŽ 3»nÃ?ý3-8ÞÑßÃ?ý7-0¡«½ý1 soap mymail (?³?°?²) example.com
That makes now quite more sense, doesn’t it? It seems as that’s the pricelist for Spamming of Forums, we even see that we get 10% of the profit from something!

Translate unknown words

Now we know quite surely that this is a Spam comment, but as you can see as well, we have some not translated words, like ?º?»?¸?µ?½?º?°(these can be sometimes important) so let’s have them translated as well, don’t we want to know how to receive our 10%?

If you’re using some good Translator, you should have the option to have unknown words transliterated into the target language. So for our ?º?»?¸?µ?½?º?° we would get something like:klienka that sounds like client. Let’s guess that we receive 10% of the Money the client pay for his contract.

Deciding dropping or keeping?

Now you should have enough information to decide if it’s a Spam comment or some legit one. If it’s Spammy it shouldn’t be hard to decide, if it’s some legit Comment I advice to keep the initial comment and add below it the translation. If you like you can as well improve the comment, but note explicit where you made changes!

Some good online Translators

Where can I get my text translated to some other language?
Just search for some Translate/Translation From-Language to-language and you should find some useful result. A good translator is PROMT, there you’re able to translate some texts as whole(no word for word translations) of some languages, or Babelfish. If you need to get some words translated into your language search for some dictionary for the given languages.

Conclusion

As you see, it’s better to prove comments of other languages as well(these will often pass Spamfilter) for Spam. If you can’t get the comment translated, it’s mostly better to keep the comment back or to drop it. From my point of view it’s better to have one or two legit comments less than to have one Spammy.

Tags: none
Tags: approve, Comment, Language, SPAM

Comments No Comments »

As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some lacks of this one as well.

WP-Plugins DB

The WordPress Plugins DB is quite new, but already some big resource for Plugin Versions. It’s created and managed by Sugan Shan. You need to install some additional Plugin from the Website in order to use this Website, you can grab your copy here. After you activated that Plugin you can let your Plugin Versions be checked for the latest release, by visiting the Plugin admin page.

Now we reach already some currently big problem of that Project. It’s managed fully by Sugan, so if he hasn’t enough time to update the Plugin versions, you may think you run the latest version, while you don’t do. Maybe it doesn’t even needs to be a lack of time, from what he suffers. He may only don’t know about some never Version of a given Plugin. You can create as well your own Developer account on that Website, but it doesn’t offer the features WP.org does, nor what WP-Plugins.org does.
But this fact doesn’t need to mean anything as the project is quite new, and many exciting features may come with the time.

WP 2.3 Build-in

As mentioned above WP Plugins DB, suffers under the lack of some features, which are offered on WP.org for Plugin developers. Maybe it’s not intended to be anything like WP.org or WP-Plugins. So you can’t keep track upon your Plugin Downloads and you’re not able to compare them with your competitors. But the Plugin doesn’t sends anything home, except your Plugins name and Version, and mostly that data isn’t even stored. Where WP.org does store your URL as well, in plain text. So that may be the biggest pro for that Plugin. Matt doesn’t even know for what these URL data could be useful, so why don’t he add that step if it would be needed(or at least useful)?

How to get rid of it

So if you don’t like to have your Blog URL stored on WP.org and don’t want to use that function at all you can disable it, by doing some change to one WP core file. The file you need to edit is wp-admin/includes/update.php.
After you opened the file move to this line of code:

43 function wp_update_plugins()

Now add after that line this one:


return false;

Save the file. Now your blog doesn’t use the Update Checker from WP any more(as long as you apply the change to every newer Version of that file).

If you only want to prevent it from submitting your real Blog Url, change this line from the same file:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
To something like:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://example.com \r\n";

Why WP suffers too

Anyway WP.org repository of Plugins, isn’t anything near to be a complete snapshot of all WP Plugins out there. As only Plugins get added who are under a GPL compatible license released.

And even that isn’t a guarantor to be added.
So it may be that you be better with using WP-Plugins Tracker than the build-in WP function.

Conclusion

So as you see there’s no perfect Solution available currently which covers every area fully. But from my point of view the WP-Plugins DB is the better way for it as everything can get added, equal under which license it’s published or if there’s a commercial Pro Version of it. And why should security checking stop by borders like license or Money?
As the Plugins DB isn’t perfect at it’s current state, we maybe need to use both versions in order to keep track with our Plugins and security.

Update:I just found these Plugins which disable the Core Update and Plugin Update functions.

Tags: none
Tags: Auto Update, Phone Home, Plugins, Security, Wordpress

Comments No Comments »

About Cross Site Scripting is currently often read about. It’s no wonder as each day new Webservices appear to catch some fame and traffic of web 2.0. Often they push the product out of the pipe as soon as possible, the security is in this moment just secondary( if they care even about it). After the release of the product, the motivation to hunt XSS flaws is minimal( I know this for myself on bug hunting). And when you send them an Email about it, it seems from time to time that they don’t even care about them when they get notified about some XSS flaw(see http://milw0rm.com for what I mean).

What are XSS flaws

As about XSS flaws is already often enough written I’ll keep this short. A XSS flaw occurs if a PHP script(or some other scripting language) uses an User submission without further checking, or a checking is based on Client side Verifications through JavaScript or similar. This submitted code is then Outputted to the User again. Where the JavaScript can read out cookies and send them to an attacker.

Persistent and Non-Persisten XSS

Read the rest of this entry »

Tags: none
Tags: Cross Site Scripting, Vulnerable code, XSS

Comments No Comments »

Some of you have maybe noticed that I joined the Team of BlogSecurity(BS), I found that site just after its release and I had some luck to discover David Kierznowskis Website before(which lead me to BlogSecurity). The first contribution was just in the way to tell my opinion about the covered themes at BS, as well as submitting new flaws found within WordPress. David asked me if I would like to join his team and I agreed, as I ever was interested in the security area. After some discussions about what we can do, I started working on the first Plugin for BS.
The WP Prefix Table changers aim is it to change your WordPress table prefix from wp_ to something different, which should be as much as possible randomly to prevent possible attackers from SQL injections as they don’t know your table names. Or at least you can improve the security, as no 100% guarantee can be given. The tool changes automatically your table prefixes to your new given value, as well as some hardcoded values within the table. If possible the wp-config.php file is updated as well, if that’s not possible you get all needed information to change it manually.
With that tool it’s quite easy to improve your security, and keep it at least in this area quite secure as if something ever should cause a wp-database Error and you saw it/got noticed you can change the prefix in the same step as you fix the reason for the problem.
If you like the plugin, let it us know. Also comment if you dislike something or want something added.

PS: Add BlogSecurity to your favourite websites, as we just started to improve the wp-community security! The next plugin is comming soon!

Tags: none
Tags: BlogSecurity, Security, SQL Injection, Table Prefix, Wordpress

Comments No Comments »

As I just read over at BlogSecurity.com it seems that many users which host their blog independently from wordpress.com. Doesn’t really care about keeping it up to date, and therefore secure. From the scanned 50 blogs where around 46 vulnerable, some do run with versions which are a year and older. Some may now claim that just 50 Blogs can’t represent around 2-3 Million of WP blogs, they may even be right. But if they’re just 300 of them which run with real old, vulnerable versions, that are 300 too much. And I can tell you from my experience with updating other blogs, that there are quite alot of them out.

The Advantage

I will just name one advantage to update your old 1.5 Blog to the current version 2.2, You can use Akismet! I had once an old 1.5 blog, where the owner stopped to use it even, as there where around 60k Spam posts and just 4 legit ones. With Akismet you need just one click to flush all spam away. I had to work with phpMyAdmin to get rid off all Spam, without deleting some maybe hidden, within spam comments, new legit comment. With Akismet this doesn’t happen again!

And there are so many other advantages to profit from, who does still develop plugins for WP 1.5?

It’s Easy!

Most times it’s just as 1,2,3 to update your blog. You make a backup of all your wp files and tables, kill all WP files and upload the new files and the last step is to run the update script and your blog is running the latest version. It cost you just 5 minutes. And how often does it happen that something will broke up with a newer WP version? I would say it’s worth to spend some time to keep your blog updated.

You’re no NERD?

For sure it can be that you’re not too much into PHP and Apache and so forth. For all of yours I’ll offer my help! You want to upgrade your blog but don’t know how to do it? No problem contact me and I’ll take a look where I can help you.
The service will be free(no template adopting to newer versions is supported), but if you like you can handle a small donation, details are handled as soon as the work is done/or will start.

Tags: none
Tags: Update, Vulnerable, Wordpress

Comments No Comments »

The Team around BlogSecurity plans to launch something like an award or recognition system for blogs, themes and/or plugins which are secure. In my eyes this seems to be a real good idea. As if this would be widely spread out you can go out and look for plugins or themes which are secure, and prefer them for unproofen and even unsecure one. Who of us wants his blog cracked into? It would take so much work to gain access again and redo everything(Depending on what the attacker did).

In the current step they’re collecting at first opinions and as well as ideas you have directed to it. I would let my components approve, to grant you that these are secure and you can use them without any strange feeling within your stomach, As these Plugins don’t only interact with wordpress as well they do it with phpbb and Joomla, it seems even more important to show security.

As of the current level of this thought, nothing big is done currently. So there’s currently nothing about if it will cost something and how it will be done available, but if the wordpress community shows real desire for such a service it will come as well as we will see soon deeper informations on this theme. So watch this blog!

Tags: none
Tags: Award, Plugin, Security, Theme, Wordpress

Comments 1 Comment »

Normal CAPTCHAs just protect you from Spam, and already some of the easier ones can be read by Bots or are breakable without even using OCR technology, so they aren’t protect you any more. Daily, Internet user solve 60 million CAPTCHAs which sum up to a total time consume of 150 thousand hours a day.
And as a current trend within the Internet to share work to get it done faster, it just was a question of time when someone invents a CAPTCHA which not only protects you from Spam, it also uses this time useful.

Read the rest of this entry »

Tags: none
Tags: CAPTCHA, ReCAPTCHA, SPAM

Comments No Comments »

Bad Behavior has blocked 18246 access attempts in the last 7 days.