alex.rabe

30 Responses to “BIG security issue !”

1. 1 Luis Posted May 1st, 2007 - 11:31 pm

   Alex,

   Is there anything to do to make NextGen Gallery safer, that is the only one I’m using so far.

   Thanks,

   Luis

2. 2 alakhnor Posted May 1st, 2007 - 11:33 pm

   Thanks for the warning Alex. So, as I understand you just change the way path goes through buttons to fix it (ie, the very top of the php) ?

3. 3 alex.rabe Posted May 1st, 2007 - 11:38 pm

   I removed the inlude via the GET variable, this idea i take form a other plugin, I never feel it’s a good way , but I never supose that it’s a possible backdoor.

   for my new plugin I already changed it, and I hope and pray that i did it in a better way..

   I’m terrrible shocked that this happend…

4. 4 alakhnor Posted May 2nd, 2007 - 12:50 am

   This sounded strange to me when I went through the code. It should have ring a bell. No sweat! It’ll be soon past

5. 5 daveslocombe Posted May 2nd, 2007 - 1:23 am

   Our site has been hacked - i beleive through wordtube - i started a new thread on this topic. Damn stressful, just lost our business website and email.

6. 6 gregg Posted May 2nd, 2007 - 10:49 am

   Our site has also jsut been hacked though wordtube…

   I am installing a fresh wordpress install now…

7. 7 serge Posted May 2nd, 2007 - 11:03 am

   Hey I’ve been hacked too.
   I’ve solved the problem :
   in wordtube-button.php
   - remove if $_GET…
   - and put :
   $wppath = preg_replace(’`^(.*)(/wp-content/(.*))`’,'$1′,$_SERVER[’SCRIPT_FILENAME’]);

   in wordtube.php line 313 to 315
   function wpt_buttonscript() {
   window.open(”‘.WORDTUBE_URLPATH.’wordtube-button.php”, “SelectVideo”, “width=440,height=220,scrollbars=no”);
   }

8. 8 gregg Posted May 3rd, 2007 - 1:41 pm

   Do I need to do this change to the code even if I have updated to the latest version of the plugin…

   My site has had all pages deleted, random empty posts scattered throughout and a few Hacked By messages…

   bastards

9. 9 alakhnor Posted May 3rd, 2007 - 7:38 pm

   Version 1.44 is safe. You shouldn’t need additional code with it. In fact, the change in it is similar to what Serge has given.

10. 10 raniya Posted May 4th, 2007 - 1:58 am

    My website got hacked for two days I am been crying…..my host says I should take the pluggin altogheter…I just don’t know what to do.

11. 11 Bailey Posted May 7th, 2007 - 10:12 am

    Backup, backup, backup………… people, you can’t be running BUSINESS websites without keeping frequent backups. It’s not your hosts responsibility, it is YOUR responsibility. That’s part of running a website!!!

    Now that said… if the plug-in is crackable… UNINSTALL IT. Really, it is as simple as that. Never hang your hat on a plug-in. Wordpress is your main tool, do your best to “hack around” a solution in the meantime until patches are released by Alex.

    But Alex — DO NOT freak out about this. You have been doing your best here. People accept a certain liability when they install a 3rd-party plug-in… it might be insecure. It might be opening them up to having their site destroyed. This is the risk we undertake. Kudos to you for being concerned about it, but, don’t beat yourself up over it. We users accept the liability when we modify the base Wordpress. Cracks happen.

12. 12 Ted Posted May 9th, 2007 - 9:12 pm

    As a web host with a server that got compromised by this, I’d like to say thanks for getting on this so very quickly!

13. 13 Ruben Posted May 16th, 2007 - 12:46 am

    My website also got hacked and my server has been down a few times pretty hard woth a sever load that went from 0.5 to 80 in 20 seconds as soon as the server was rebooted. They had full Root access on the dedicated server and where misusing it pretty well…

    Please note that disabling the Wordtube Plug-in may not be enough, delete the plug-in to make sure they can’t request or find the wordtube-button.php by using the inurl: search on Google.

    Pitty I can’t use the plug-in any more I loved it and we used it on a nearly daily basis…

14. 14 Ruben Posted May 16th, 2007 - 12:50 am

    Oh and Alex, the payoff of your website is: Learning by doing. I guess the only one who can be blamed are the idiots that are misusing a mistake made by somebody else. We’re all just learning by doing. My lesson? Keep focused on backupping, I had some luck this time.

15. 15 SS Posted June 14th, 2007 - 1:01 am

    Found two large files in the wordtube directory but nothing else wrong with the website - as far as I can see. Maybe they got bored by the tie they got to me.

    Phew!

16. 16 Hacked of London Posted July 16th, 2007 - 12:55 pm

    These are really basic XSS attacks. Maybe you should learn to program before you release stuff in future.

17. 17 alex.rabe Posted July 16th, 2007 - 7:02 pm

    See my motto… learning by doing

    You can trust me , this happend not a second time

18. 18 boris Posted July 26th, 2007 - 11:19 am

    hab das sicherheitsproblem am eigenen leib.. ehm, server erfahren und wollte etwas zum thema erzählen.. aber ich sehe ja: das problem ist bekannt und gelöst. bestens

19. 19 wilsen Posted August 23rd, 2007 - 12:19 am

    Hi Alex,

    things like that happen! I appreciate that you acted that quick and that you mind your plug-in. But “Hacked of London” is right. Because of that I want to recommend this book:

    http://www.amazon.de/PHP-Sicherheit-PHP-MySQL-Webanwendungen-sicher-programmieren/dp/3898644502/ref=cm_taf_title_featured?ie=UTF8&tag=tellafriend-20

    This book really kicks ass! And if you don’t already know it, it will help you to develop more of these wonderful plug-ins for us

20. 20 KC Posted December 22nd, 2007 - 2:47 am

    I’m seeing today in the logs that someone (a botnet?) is guessing that I have this plugin installed (and some others too). I notice that this happens time to time — they check on whatever wordpress installations they can find and see if someone hasn’t updated.

21. 21 alex.rabe Posted December 22nd, 2007 - 1:57 pm

    This is ongoing since May, also my page receive still 100-200 attemps each day…

Who's linking?

1. 1 iSightseeing Pingback on May 3rd, 2007
   "[...] ich gerade per Email erfahren habe (Danke an Majoran und Alexx), gibt es ein Sicherheitsloch im WordPress PlugIn ..."
2. 2 wordpress plugins wordTube (wpPATH) Remote File Inclusion Vulnerability « Aku Sayang Padamu, Walau Tak harus Memilikimu Pingback on May 3rd, 2007
   "[...] wordTube meminta agar plugins wordTube segera di update dan juga untuk menetralisir bug tersebut http://alexrabe.boelinger.com/?p=110 sekaligus vendor mengusulkan ..."
3. 3 My site got hijacked! at The Norway Diary Pingback on May 18th, 2007
   "[...] Luckily nothing was deleted and after some trouble I was able to get my page working again.  For those ..."
4. 4 xTown.net » Hackergeschmeiss » Von CRen » Schadensbegrenzung, Schuldige gefunden, NACHTRAG, Und, Bilder, Sackgesichter, Schuldige, Hacker, Blog-System, Gelegenheit, Ordner, Berechtigungen, Angriffe, myGallery Pingback on Jun 28th, 2007
   "[...] sondern die Fehler, die für die Angriffe gesorgt haben: Programmierfehler in den Plugins Wordtube und myGallery. Wer diese verwendet, ..."
5. 5 bpmultimedia » Blog Archive » Attention ! (résolu) Pingback on Jul 14th, 2007
   "[...] Parade trouvée ( mise à jour du plugin avec la version 1.44 et effacement d’un fichier : voir ici ..."
6. 6 Downtime am Wochenende Pingback on Jul 26th, 2007
   "[...] Ich möchte es so sagen: stellt bitte sicher, dass die Plugins eurer Wordpress-Installationen auf dem neusten Stand sind. Sofern ..."
7. 7 site got hacked today! Pingback on Aug 13th, 2007
   "[...] seems like one file of the wordtube plugin was open to GET exploits. i removed the file now, changed ..."
8. 8 Fear, WPMU and progress… at alex.rabe Pingback on Aug 25th, 2007
   "[...] but this is also a growing risk that hackers and bad guys review again the code and find another ..."
9. 9 Websenat » Beitrag » Websenat reloaded 2 (UPDATE) Pingback on Sep 2nd, 2007
   "[...] DoS-Attacken gegen einen Brasilianischen Server benutzt. Das betroffene PlugIn war WordTube von Alex Rabe. Anfang Mai wurde auch schon ..."