WordPress 'Concern' (title edited)

48 replies
Hey, this just a quick post about something I just found in WordPress. I'm not sure how long this has been available; 'cause I basically never thought about trying something like this, until today.

I won't get into that, though.

The Danger/Concern is...
There's this file located in your /wp-includes/ folder that's called registration.php.

It essentially allows you to insert users into your WP user table on the fly. Thing is; it doesn't ask for any type of authentication!!

That means that anybody that knows about this file and a little bit of PHP can basically insert users into your WP database. This is bad.

I'm not gonna get into all that could happen; just FIX the possibility of someone hacking you by doing the following; (this is just off the top of my head and I have NOT tested this so I'm not sure if it will affect anything else -- but, I don't think it will because it seems that this file was put in place specifically for the purpose of inserting users outside of the normal channel).

That being understood...
Simply rename that file to something only you know. <-- NOT the answer

EDIT: I'm still looking for a solution that would be easy to implement. "I" could easily just add an IF statement that looked for a secret key; but, that wouldn't be very easy for non-coders. So, I'll keep looking.

I did some frantic searching and didn't find anybody yelling about it or complaining. The WP codex talks about it rather gingerly like its no big deal . I did find quite a few sites in Russian (I think) talking about it.. I'm not prejudice but.. <ahem>... not sure what they were talking about since I don't read Russian.

Do this NOW if you're wanting to protect your WP site(s) from being hacked.

One thing that could happen is someone adding themselves to your WP user database as an Admin and reaping havok on your blog. That would suck!

OK.. I warned ya. Hope you take heed.

IF someone with more WP expertise than me has something more elegant OR knows for a FACT that this can not hurt our blogs, PLEASE speak up.

Thanks.
HTH
PLP,
tecHead

Edited for those coming behind us reading this thread.
#danger #robinson #wordpress
  • Profile picture of the author tbsweet52
    Since ALL of my websites/blogs are WP, I'm interested in an answer as well.

    You think it's that easy to get hacked?
    Signature

    Signature goes here

    {{ DiscussionBoard.errors[2647061].message }}
  • Profile picture of the author ~kev~
    just disable new members in your admin control panel

    control panel - left column - general settings - membership - Anyone can register - uncheck that box and click save changes
    {{ DiscussionBoard.errors[2647064].message }}
    • Profile picture of the author tecHead
      Originally Posted by ~kev~ View Post

      just disable new members in your admin control panel
      Checked that before posting this.. it still works.
      Signature
      Learn Everything You Need to Know About CryptoCurrencies
      Automation is the primary conduit to successful relaxation
      {{ DiscussionBoard.errors[2647069].message }}
      • Profile picture of the author ~kev~
        Originally Posted by tecHead View Post

        Checked that before posting this.. it still works.


        What is the default group of the new members?
        {{ DiscussionBoard.errors[2647078].message }}
        • Profile picture of the author tecHead
          Originally Posted by ~kev~ View Post

          What is the default group of the new members?
          I disabled registration all together and then tested the script I wrote which calls registration.php; I was still able to add a user.

          There's two functions in the script...
          wp_insert_user
          wp_create_user

          wp_insert_user allows for the full array of user data; including role. This is why I say this script is dangerous.

          PLP,
          tecHead
          Signature
          Learn Everything You Need to Know About CryptoCurrencies
          Automation is the primary conduit to successful relaxation
          {{ DiscussionBoard.errors[2647102].message }}
          • Profile picture of the author CDarklock
            Originally Posted by tecHead View Post

            I disabled registration all together and then tested the script I wrote
            It rather involved being on the other side of this airtight hatchway: Executable corruption - The Old New Thing - Site Home - MSDN Blogs
            Signature
            "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
            {{ DiscussionBoard.errors[2647171].message }}
            • {{ DiscussionBoard.errors[2647198].message }}
              • Profile picture of the author CDarklock
                Originally Posted by tecHead View Post

                huh?! :confused:
                You are adding a new user to your WordPress install by logging into your server and uploading a PHP script, right?

                Why do you need a user on the WordPress install?

                You have file write access to the server!
                Signature
                "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
                {{ DiscussionBoard.errors[2647216].message }}
                • Profile picture of the author tecHead
                  Originally Posted by CDarklock View Post

                  You are adding a new user to your WordPress install by logging into your server and uploading a PHP script, right?

                  Why do you need a user on the WordPress install?

                  You have file write access to the server!
                  lol, cute

                  If you must know .. I'm integrating two scripts together and wanted to create the user externally (first) for script #1 and then plug the user data into a plugin... because I wanted the custom functionality that this integration allows me.

                  That's why.
                  Signature
                  Learn Everything You Need to Know About CryptoCurrencies
                  Automation is the primary conduit to successful relaxation
                  {{ DiscussionBoard.errors[2647235].message }}
                  • Profile picture of the author CDarklock
                    Originally Posted by tecHead View Post

                    lol, cute
                    You don't seem to be getting it.

                    Imagine that you are mister evil hacker and you want an account on someone's WordPress blog. Your process works like this.

                    1. Log onto the server hosting the blog as an administrator.

                    2. Upload a script to add the user to this blog.

                    3. Open that script in your browser. Hey presto! You have a user!

                    But wait... what was that step 1 again?

                    Here's another of Raymond's ongoing series about security holes that are not security holes. Maybe this one will click with you.

                    It rather involved being on the other side of this airtight hatchway: Elevation to administrator - The Old New Thing - Site Home - MSDN Blogs
                    Signature
                    "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
                    {{ DiscussionBoard.errors[2647261].message }}
  • Profile picture of the author sanssecret
    Originally Posted by tecHead View Post

    One thing that could happen is someone adding themselves to your WP user database as an Admin and reaping havok on your blog. That would suck!
    I had someone hack into one of my blogs a while back. Not sure if this is how they got in or not. But when I went to log my password didn't work. When I clicked to have the password emailed, it didn't turn up...

    I ended up having to go in via the cpanel, and into the database thingy (yes, it's a thingy to me so you can imagine how scary it was ). Lo and behold, the admin name and password had been changed!

    Managed to sort it out and to this day I have no idea how they got in. I was using an auto poster plugin at the time so just disabled that and (touch wood) it hasn't happened again.

    Will wait to see if anyone confirms it's ok to rename this file before I go ahead, but sure hope someone answers soon. I really don't want to go through that again.
    Signature
    San

    The man who views the world at fifty the same as he did at twenty has wasted thirty years of his life. ~Muhammad Ali
    Pay me to play. :) Order a Custom Cover today.
    {{ DiscussionBoard.errors[2647084].message }}
  • Profile picture of the author tecHead
    Here's the WP codex reference to wp_create_user
    Function Reference/wp create user WordPress Codex

    Here's the WP codex reference to wp_insert_user
    Function Reference/wp insert user WordPress Codex

    Here's a post in the WP codex-forum that's interesting...
    WordPress › Support wp_create_user() calling from an external script
    Signature
    Learn Everything You Need to Know About CryptoCurrencies
    Automation is the primary conduit to successful relaxation
    {{ DiscussionBoard.errors[2647131].message }}
  • Profile picture of the author ~kev~
    here is my wordpress blog - survivalboards.com

    Add a new user
    {{ DiscussionBoard.errors[2647135].message }}
  • Profile picture of the author tecHead
    OK.. after further testing, renaming the file is NOT the answer. Seems the file is called in the Admin section.

    I'll keep searching.

    @~kev~... just read the codex, bro. I'm not attempting to yell wolf here. Test it yourself.
    Signature
    Learn Everything You Need to Know About CryptoCurrencies
    Automation is the primary conduit to successful relaxation
    {{ DiscussionBoard.errors[2647147].message }}
  • Profile picture of the author tecHead
    On a final note; (and I'm gonna go eat now since I'm only seeing challenges instead of help); I really can't see Automatic leaving a gaping hole in the code.

    Yet, the lack of documentation scares me; they've been known to have bugs (major ones) before.

    I'm also extending an open call to all those Warriors who are more adept in WP than I to come forward with some type of reassurance; ('cause I can admit that I could be wrong);... its just the only thing I see right now is a big fat exploit waiting for an over zealous hacker to have fun with... <shrug>
    Signature
    Learn Everything You Need to Know About CryptoCurrencies
    Automation is the primary conduit to successful relaxation
    {{ DiscussionBoard.errors[2647255].message }}
    • Profile picture of the author CDarklock
      Originally Posted by tecHead View Post

      I'm also extending an open call to all those Warriors who are more adept in WP than I to come forward with some type of reassurance
      Okay, here.

      This is not even remotely a security issue.

      In fact, even asking whether it is a security issue is evidence of some seriously sloppy thinking.
      Signature
      "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
      {{ DiscussionBoard.errors[2647271].message }}
      • Profile picture of the author SEOTranslator
        Originally Posted by CDarklock View Post

        Okay, here.

        This is not even remotely a security issue.

        In fact, even asking whether it is a security issue is evidence of some seriously sloppy thinking.
        Fully agree. There is also evidence of serious lack of programming know-how.
        Signature
        Website localization and multilingual SEO
        Making your translated sites friendly for humans and machines alike.
        {{ DiscussionBoard.errors[2647291].message }}
        • Profile picture of the author CDarklock
          Originally Posted by SEOTranslator View Post

          Fully agree. There is also evidence of serious lack of programming know-how.
          Not exactly. TecHead is working diligently on a project, and that's consumed so much of his thinking that he's not really considering the stuff he's saying.

          I know the guy. He gets like this. His brain is so occupied with the task at hand, it's just not working so well on anything else... I mean, look at his initial advice to rename the file.

          Once he's recovered from head-down mode on this script integration, he'll look back at this thread and go "WTF was I thinking?"
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[2647312].message }}
          • Profile picture of the author tecHead
            Originally Posted by CDarklock View Post

            Not exactly. TecHead is working diligently on a project, and that's consumed so much of his thinking that he's not really considering the stuff he's saying.

            I know the guy. He gets like this. His brain is so occupied with the task at hand, it's just not working so well on anything else... I mean, look at his initial advice to rename the file.

            Once he's recovered from head-down mode on this script integration, he'll look back at this thread and go "WTF was I thinking?"
            Already said, renaming the file is NOT the answer... wow.. critics lol
            Signature
            Learn Everything You Need to Know About CryptoCurrencies
            Automation is the primary conduit to successful relaxation
            {{ DiscussionBoard.errors[2647326].message }}
            • Profile picture of the author Sandra Martinez
              ok... my programing skills are limited, so take it as it comes...

              checked out the file and it has, in my server, 644 permission.

              so it cannot be executed or wrote by anyone except the owner of the script.

              now, how can you execute the file if you are not logged in via ftp?

              and... if a hacker is able to login via ftp... that file is really not your biggest problem, is it?

              Sandra
              {{ DiscussionBoard.errors[2647354].message }}
              • Profile picture of the author Joe Giannetti
                thanx to this post EVERONE knows about this vulnerbility Even HACKERS!

                Good Job!
                {{ DiscussionBoard.errors[2647368].message }}
                • Profile picture of the author tecHead
                  Originally Posted by DeAndre Moore View Post

                  So, i'm guessing that this isn't something that we should be worried about?

                  Well, according to the other two PHP authorities in this thread; its impossible to exploit without Admin privileges. So.... <shrug>
                  Signature
                  Learn Everything You Need to Know About CryptoCurrencies
                  Automation is the primary conduit to successful relaxation
                  {{ DiscussionBoard.errors[2647422].message }}
                  • Profile picture of the author SEOTranslator
                    Originally Posted by tecHead View Post

                    Well, according to the other two PHP authorities in this thread; its impossible to exploit without Admin privileges. So.... <shrug>
                    It is perfectly possible if somebody has left his files unprotected and his directories write-enabled. Which I've seen more than once. But if that door is closed... no way.
                    Signature
                    Website localization and multilingual SEO
                    Making your translated sites friendly for humans and machines alike.
                    {{ DiscussionBoard.errors[2647435].message }}
                  • Profile picture of the author CDarklock
                    Originally Posted by tecHead View Post

                    Well, according to the other two PHP authorities in this thread; its impossible to exploit without Admin privileges.
                    That is not what we said.

                    What we said is that the method you have found requires admin privileges.

                    Anyone who knows a significant amount about security knows that nothing is "impossible" to exploit. The best we can hope for is something that nobody knows how to exploit.

                    So far, nobody knows how to exploit this, and that's got to be good enough - because it doesn't get any better.
                    Signature
                    "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
                    {{ DiscussionBoard.errors[2647481].message }}
                • Originally Posted by DeAndre Moore View Post

                  So, i'm guessing that this isn't something that we should be worried about?

                  No, it's nothing to worry about.
                  Signature
                  Pick a product. Pick ANY product! -> 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
                  {{ DiscussionBoard.errors[2647845].message }}
              • Profile picture of the author tecHead
                Originally Posted by Sandra Martinez View Post

                ok... my programing skills are limited, so take it as it comes...

                checked out the file and it has, in my server, 644 permission.

                so it cannot be executed or wrote by anyone except the owner of the script.

                now, how can you execute the file if you are not logged in via ftp?

                and... if a hacker is able to login via ftp... that file is really not your biggest problem, is it?

                Sandra
                Hi Sandra,

                My concern started when I read this post; (well, actually after I tested it myself -- and I didn't need to seed the script with any type of authentication)...

                WordPress › Support wp_create_user() calling from an external script

                (@Joe Giannetti - which was posted over 5mths ago...)

                The script listed "calls" the registration.php file; (and its functions).
                Signature
                Learn Everything You Need to Know About CryptoCurrencies
                Automation is the primary conduit to successful relaxation
                {{ DiscussionBoard.errors[2647386].message }}
                • Profile picture of the author SEOTranslator
                  Originally Posted by tecHead View Post

                  jeeezus.. you're just as bad as CDarklock.. you two talk to people like that in real life?? No, seriously... anyway...

                  I've never proclaimed to be a PHP programmer... as a matter of fact, I HATE PHP, (which is why I have a PHP development team -- they're sleep, right now)... so, here's me reading beyond your nasty tone and saying... hmm.. ok.. if you say so. .. but, I still don't feel safe DUE to what I've seen other (pretty nasty programmers) do.
                  Thanks for comparing me with CDarklock, I'm flattered!

                  Well, I happen to have a degree in Computer Sciences, so I do know a little bit about how computers work.

                  I insist... remote function calls from a different server will NOT work, unless you have given write access to your directories, so as to previously inject some code.

                  You can actually have remote calls with WP, to post blogs remotely (feature that is deactivated by default), but only through a specific API and passing all the necessary parameters. There are also additional APIs such as XMLRPC that can be used, but first you need to install them as a plugin.

                  But APIs restrict the functions you can use. It's like a bank, you have to ring a bell to enter, and inside there are only certain things you can do. You can't simply go into the vault and take the money.

                  You can't simply call any function on a PHP script on a different server and expect it to work and trash that server. It's like a bank with all doors open, no guards and the safe wide open. Which is what you do if you allow to write to your directories. But a remote procedure call (RPC) to a function outside the API to update the database without some kind of code injection? No way, pal...


                  Originally Posted by tecHead View Post

                  Hi Sandra,

                  My concern started when I read this post; (well, actually after I tested it myself -- and I didn't need to seed the script with any type of authentication)..

                  WordPress > Support wp create_user() calling from an external script

                  (@Joe Giannetti - which was posted over 5mths ago...)

                  The script listed "calls" the registration(dot)php file; (and its functions).
                  Yes, but if you read the code it is evident that it is an external script running on the OWN server! And nobody has indicated yet how to inject that script onto the server!

                  Originally Posted by Joe Giannetti View Post

                  thanx to this post EVERONE knows about this vulnerbility Even HACKERS!
                  Good Job!
                  WHAT vulnerability? Sorry, but until he can create a POC or show that he can create a user on somebody else's blog, we can't talk about a vulnerability. I happen to know a little bit about this (a degree in Computer Sciences helps), and so far I've not seen anything on this thread that makes me believe there is such vulnerability.
                  Signature
                  Website localization and multilingual SEO
                  Making your translated sites friendly for humans and machines alike.
                  {{ DiscussionBoard.errors[2647416].message }}
                  • Profile picture of the author tecHead
                    Originally Posted by SEOTranslator View Post

                    Thanks for comparing me with CDarklock, I'm flattered!
                    Hey, I call 'em like I see 'em pal

                    Originally Posted by SEOTranslator View Post

                    Well, I happen to have a degree in Computer Sciences, so I do know a little bit about how computers work.

                    I insist... remote function calls from a different server will NOT work, unless you have given write access to your directories, so as to previously inject some code.

                    You can actually have remote calls with WP, to post blogs remotely (feature that is deactivated by default), but only through a specific API and passing all the necessary parameters. There are also additional APIs such as XMLRPC that can be used, but first you need to install them as a plugin.

                    But APIs restrict the functions you can use. It's like a bank, you have to ring a bell to enter, and inside there are only certain things you can do. You can't simply go into the vault and take the money.

                    You can't simply call any function on a PHP script on a different server and expect it to work and trash that server. It's like a bank with all doors open, no guards and the safe wide open. Which is what you do if you allow to write to your directories. But a remote procedure call (RPC) to a function outside the API to update the database without some kind of code injection? No way, pal...
                    Now, an explanation that respects me as an adult is much more acceptable than the original one you attempted.. but, water under the bridge.

                    I basically started to relax more after your first explanation of remote calls to the script.. then Sandra speaking on the 644... all of which made me say, "OK, OK... calm down"...

                    I'm still going to, (for my own sanity), pop a seed that has to be matched against an IF statement before MY script calls registration.php

                    I'll just sleep better knowing its locked regardless of proposed impossibilities.

                    Thanks,
                    tecHead
                    Signature
                    Learn Everything You Need to Know About CryptoCurrencies
                    Automation is the primary conduit to successful relaxation
                    {{ DiscussionBoard.errors[2647444].message }}
                    • Profile picture of the author SEOTranslator
                      Originally Posted by tecHead View Post

                      I basically started to relax more after your first explanation of remote calls to the script.. then Sandra speaking on the 644... all of which made me say, "OK, OK... calm down"...

                      I'm still going to, (for my own sanity), pop a seed that has to be matched against an IF statement before MY script calls registration.php
                      Yeah, I know how one can panic on occasion, it has happened to me before, specially when I was developing airborne software 20 years ago, and an aircraft crashed... luckily my code had worked perfectly, and it wasn't the software after all, as we eventually found out. But for a couple of days I was really... you can imagine how, even though there were no victims.

                      But it's better to be paranoid than too trusting. Add your code by all means, just make sure that it doesn't open a hole where there is none.
                      Signature
                      Website localization and multilingual SEO
                      Making your translated sites friendly for humans and machines alike.
                      {{ DiscussionBoard.errors[2647474].message }}
        • Profile picture of the author tecHead
          Originally Posted by SEOTranslator View Post

          Excuse me? How the hell are you testing this? On your own server, with all the privileges and the same name space?

          The PHP you mention file is a set of functions - you simply can't call those functions from an external server without the local variables that are stored on your server. Those are different name spaces! Even assuming that you could call those functions remotely, the results would execute on the calling server. To execute it on your server, you would first need to inject additional code, so as to execute it with local privileges, and I would expect that your local directories are write-protected, aren't they?

          ~key~ has offered you to test it on his site - now try it! But it won't work...
          Originally Posted by SEOTranslator View Post

          Fully agree. There is also evidence of serious lack of programming know-how.
          jeeezus.. you're just as bad as CDarklock.. you two talk to people like that in real life?? No, seriously... anyway...

          I've never proclaimed to be a PHP programmer... as a matter of fact, I HATE PHP, (which is why I have a PHP development team -- they're sleep, right now)... so, here's me reading beyond your nasty tone and saying... hmm.. ok.. if you say so. .. but, I still don't feel safe DUE to what I've seen other (pretty nasty programmers) do.

          I'm glad it wouldn't be an 'easy' thing to do, via PHP.

          Try practicing some communication skill sets, huh?

          Thanks
          Signature
          Learn Everything You Need to Know About CryptoCurrencies
          Automation is the primary conduit to successful relaxation
          {{ DiscussionBoard.errors[2647342].message }}
      • Profile picture of the author tecHead
        Originally Posted by CDarklock View Post

        You don't seem to be getting it.

        Imagine that you are mister evil hacker and you want an account on someone's WordPress blog. Your process works like this.

        1. Log onto the server hosting the blog as an administrator.

        2. Upload a script to add the user to this blog.

        3. Open that script in your browser. Hey presto! You have a user!

        But wait... what was that step 1 again?

        Here's another of Raymond's ongoing series about security holes that are not security holes. Maybe this one will click with you.

        It rather involved being on the other side of this airtight hatchway: Elevation to administrator - The Old New Thing - Site Home - MSDN Blogs
        Originally Posted by CDarklock View Post

        Okay, here.

        This is not even remotely a security issue.

        In fact, even asking whether it is a security issue is evidence of some seriously sloppy thinking.
        CDarklock, I'm not going to argue this with you.. but I do have to respond to your insulting my intelligence... did you even READ the docs referenced, above?

        And as a matter of fact, I tested the script I'm talking about; (that yes "I" wrote); NOT logged in.

        You're trying to suggest that its impossible for a well versed hacker to traverse a server environment that he/she may be familiar with and/or a host that isn't exactly protecting their clients with the utmost in security; (oh, of course those types of hosts don't exist).

        Yet, if that were the case there wouldn't be those that "find" people's download pages... "find" CC databases... "find" all kinds of data that pompous big heads THINK they can't/won't find because they don't have admin access. OH, wait... those guys are magical fairies, right?

        <shaking my head>

        All you're doing is puffing hot air, as usual without any substance. SHOW ME where it says that this is DEFINITELY NOT a "possible"... (read up and see where I "originally" said "possible")... vulnerability that COULD be exploited and I'll thank you.

        The current approach you're taking is pretty tacky.. but, maybe you don't care. <shrug>

        Peace,
        tecHead
        Signature
        Learn Everything You Need to Know About CryptoCurrencies
        Automation is the primary conduit to successful relaxation
        {{ DiscussionBoard.errors[2647320].message }}
        • Profile picture of the author CDarklock
          Originally Posted by tecHead View Post

          All you're doing is puffing hot air, as usual without any substance
          There's not much of substance that can be said here. Your report and the subsequent demands for "help" border on the surreal. I simply despair of ever successfully explaining to someone that "I can run programs" is not a security problem.
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[2647411].message }}
  • Profile picture of the author SEOTranslator
    Excuse me? How the hell are you testing this? On your own server, with all the privileges and the same name space?

    The PHP you mention file is a set of functions - you simply can't call those functions from an external server without the local variables that are stored on your server. Those are different name spaces! Even assuming that you could call those functions remotely, the results would execute on the calling server. To execute it on your server, you would first need to inject additional code, so as to execute it with local privileges, and I would expect that your local directories are write-protected, aren't they?

    ~key~ has offered you to test it on his site - now try it! But it won't work...
    Signature
    Website localization and multilingual SEO
    Making your translated sites friendly for humans and machines alike.
    {{ DiscussionBoard.errors[2647287].message }}
  • Profile picture of the author Jacob Martus
    Ok. Question for you guys.

    What permissions should my directories and files be set to?

    Disclaimer: No Programming knowledge whatsoever.
    {{ DiscussionBoard.errors[2647454].message }}
    • Profile picture of the author tecHead
      Originally Posted by Jacob Martus View Post

      Ok. Question for you guys.

      What permissions should my directories and files be set to?

      Disclaimer: No Programming knowledge whatsoever.
      Folders = 755
      Files = 644

      At least... yet, WP/Automatic themselves send mixed messages; as the only way to take advantage of their built in automation of updates of WP core files and/or plugins is to set /wp-content/uploads ... /wp-content/updates/ ... to 777 (writable by anyone)... some plugins even want to write to the /wp-content/ directory...

      Stick with 755 & 644 to be safe; IMHO

      You can FTP updates
      Signature
      Learn Everything You Need to Know About CryptoCurrencies
      Automation is the primary conduit to successful relaxation
      {{ DiscussionBoard.errors[2647482].message }}
    • Originally Posted by Jacob Martus View Post

      Ok. Question for you guys.

      What permissions should my directories and files be set to?

      Disclaimer: No Programming knowledge whatsoever.
      Hi Jacob,

      Generally speaking you want to turn off write permissions for 'global' users. It prevents 'guests' from (easily) re-writing files on your system. (Think is with how security is nowadays and the fact that those security settings, i.e., via chmod, etc were kind of "pre"-php, they are not really that effective nowadays for any php-based system. (PHP can easily circumvent standard settings for most standard configurations)).

      But to be on the safe side, as a rule of thumb, just make sure write permissions for global users is turned off.
      Signature
      Pick a product. Pick ANY product! -> 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
      {{ DiscussionBoard.errors[2647840].message }}
  • Profile picture of the author SEOTranslator
    Originally Posted by tecHead View Post

    Folders = 755
    Files = 644

    ...

    Stick with 755 & 644 to be safe; IMHO
    Er... 755 includes the "execute". So it should be usually Folders=644 and Files=755. (Though no harm is done if a folder is 755, you can't execute that).

    But you're right, he should stick to 644 & 755. If there is a very special script that you don't want anybody except the owner to run, make it 744. (But make sure it works like that!)

    If you have CPanel, you can enter the file explorer and change the properties of folders and files.
    Signature
    Website localization and multilingual SEO
    Making your translated sites friendly for humans and machines alike.
    {{ DiscussionBoard.errors[2647510].message }}
  • Profile picture of the author Jesus Perez
    Pure FYI.

    Hostgator works perfectly with 755 permissions and Wordpress automatic updates. In fact, hostgator throws errors if any folder is 777.
    Signature

    {{ DiscussionBoard.errors[2647517].message }}
    • Profile picture of the author Lance K
      Originally Posted by Jesus Perez View Post

      Pure FYI.

      Hostgator works perfectly with 755 permissions and Wordpress automatic updates. In fact, hostgator throws errors if any folder is 777.
      I want BlueSquares back. :p
      Signature
      "You can have everything in life you want if you will just help enough other people get what they want."
      ~ Zig Ziglar
      {{ DiscussionBoard.errors[2647666].message }}
  • Profile picture of the author bettybakebake
    I was shocked at how nasty some people were to this person who just brought up an irregularity that struck him as something that might be an opening for hackers. I thank him for the time he took to post it here and then he had to defend himself from some very nasty arrogant people. Sure they are probably correct in their assertion but dang, hackers can do anything they want.
    So thanks again for bringing it to our attention. I appreciate that you took the time to post a thread.
    Michele the technoidiot in training.
    {{ DiscussionBoard.errors[2647725].message }}
    • Profile picture of the author mywebwork
      Originally Posted by bettybakebake View Post

      I was shocked at how nasty some people were to this person who just brought up an irregularity that struck him as something that might be an opening for hackers.
      Michele I certainly see your point, and also agree that some of the comments made to the OP, who made his post with the best of intentions, were not warranted.

      However, despite his good intentions the OP actually made some very serious mistakes in posting this:

      1 - If you find a genuine security flaw in a commonly used platform like WordPress, MS Windows or FaceBook the last thing you should ever do is create a post in a public forum about it. Instead you report it to the developers. WordPress even mentions this on their site:
      It is standard practice to notify the vendor (the WordPress developers, in this case) of a security problem before publicizing so a fix can be prepared and public damage due to the vulnerability minimized.
      2 - In this case it was a false alarm, caused simply by the OP's self-admitted unfamiliarity with PHP and the WordPress platform. And while it is better to be safe than sorry it also will raise unnecessary concerns and alarms for less-technical users who don't understand the specifics of the issue. He also initially offered a solution (renaming the file) thats if used would actually break some core WordPress functionality, and then confused the situation further with a scheme to add a "key" to the file.

      Again I commend the OP for wanting to bring what he felt was a genuine concern to the attention of fellow Warriors - and I'll give him extra bonus points for toning down the title of the thread (although not enough, as it isn't even a "concern"). In future I'm sure he will abide by the correct protocol for exposing security holes in software.

      Bill
      {{ DiscussionBoard.errors[2647866].message }}
      • Profile picture of the author tecHead
        Originally Posted by mywebwork View Post

        Michele I certainly see your point, and also agree that some of the comments made to the OP, who made his post with the best of intentions, were not warranted.

        However, despite his good intentions the OP actually made some very serious mistakes in posting this:

        1 - If you find a genuine security flaw in a commonly used platform like WordPress, MS Windows or FaceBook the last thing you should ever do is create a post in a public forum about it. Instead you report it to the developers. WordPress even mentions this on their site:


        2 - In this case it was a false alarm, caused simply by the OP's self-admitted unfamiliarity with PHP and the WordPress platform. And while it is better to be safe than sorry it also will raise unnecessary concerns and alarms for less-technical users who don't understand the specifics of the issue. He also initially offered a solution (renaming the file) thats if used would actually break some core WordPress functionality, and then confused the situation further with a scheme to add a "key" to the file.

        Again I commend the OP for wanting to bring what he felt was a genuine concern to the attention of fellow Warriors - and I'll give him extra bonus points for toning down the title of the thread (although not enough, as it isn't even a "concern"). In future I'm sure he will abide by the correct protocol for exposing security holes in software.

        Bill
        I actually spent over an hour searching the net looking for as much information on the topic as I could find prior to posting anything, here. The reason I chose to post here was due to the fact that all the information that I 'did' find was more than 5mths old; thus, I couldn't have been posting anything 'new'. I think I did post that I did a lot of searching in my OP.

        I do appreciate you recognizing that my only intention was to inform Warriors of the file/situation. Yet, it seems that even you are more so pointing out the semi-negatives rather than the positives; (as well as -- probably not intentionally -- sort of insulting my intelligence... no, I'm not complaining about it or whining -- just pointing out an observation).

        Firstly, I wouldn't be arrogant enough to assume that I was the 'first' to find a vulnerability in a project the size of WordPress.. in a version that's already been out; (stable public release); for at least a couple of months.. not knowing the language its programmed in enough to contribute to the original project... so, (like I mentioned above), I didn't see any harm in posting here, (seeking help as stated), AND warning people.

        Now, this turning into a false alarm is a good thing. I'm glad there's nothing for people to worry about; although, I'm doing what I said just to be safe.

        My original 'suggestion', (which came with warnings that it was NOT tested -- and sanssecret 'understood' what I said and stated she'd "wait" until someone "confirmed"), was merely a suggestion and was immediately retracted as soon as I realized it wasn't a good solution. Please examine the timestamps of each post; as they're pretty close together... within minutes, to be exact.

        At times... I swear... I feel like its better to just leave this forum alone; but, I've been online long enough to know that there are many that I DO help that just don't say much. Knowing that makes dealing with the negativity, (even slightly masked with positive comments), is fine.

        As long as I can help somebody... I'm good.

        Peace, Love & Prosperity
        tecHead
        Signature
        Learn Everything You Need to Know About CryptoCurrencies
        Automation is the primary conduit to successful relaxation
        {{ DiscussionBoard.errors[2648032].message }}
        • Profile picture of the author CDarklock
          Originally Posted by tecHead View Post

          Yet, it seems that even you are more so pointing out the semi-negatives rather than the positives; (as well as -- probably not intentionally -- sort of insulting my intelligence...
          I'm sorry, where exactly was the positive in your announcement of something that wasn't true and recommendation to do something that wouldn't work?

          Because from where I sit, that looks pretty stupid, and so does the snippy attitude you're copping over the whole thing.
          Signature
          "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
          {{ DiscussionBoard.errors[2648113].message }}
          • Profile picture of the author Paul Myers
            Caliban,
            Because from where I sit, that looks pretty stupid, and so does the snippy attitude you're copping over the whole thing.
            I'm seeing a lot of 'snippy' in this thread.

            Let's stick to the issues, folks, and leave out words like 'stupid' when the poster's intent is clearly to help, shall we? That request is extended to all and sundry.


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[2648143].message }}
            • Profile picture of the author sanssecret
              I'm just glad to find out I don't have to worry about it.
              Signature
              San

              The man who views the world at fifty the same as he did at twenty has wasted thirty years of his life. ~Muhammad Ali
              Pay me to play. :) Order a Custom Cover today.
              {{ DiscussionBoard.errors[2648223].message }}
  • Hi TecHead --

    Ok, I took a look at this script.

    a) This file is safe. You don't really have anything to worry about.

    This script is basically a set of 'functions'. If a hacker tries to use a generic exploit (i.e., simply calling it via a pathname/http url) -- nothing will happen because there is no php code to actually do anything (it is an 'include' file).

    b) For a hacker to actually 'exploit' this (assuming just via php), they would need to find some way of creating a php file on your server, that actually included this file, and then actually create the user.

    I.e., they would need something like this/code like this:

    <?

    include "/path/wordpress/wp-includes/registration.php";
    create_user(whateverstuff);

    // do other stuff

    ?>

    With the specific file you mentioned, registration.php -- there is no (standard) way that a hacker could exploit this. They would actually need to find a way of creating a php file on your system, and this particular file does not have any 'holes' so to speak of.

    The thing is, if a (real) hacker found out how to create a php file on your system with write permissions in the first place, they would probably be more interested in other things than just simply creating random users and manually editing your wordpress installation through a wordpress interface. (Hackers don't manually edit things, that's a waste of time. Script kiddies do. And script kiddies are like the guys that spray paint a building. They do it because its 'cool', and to show off to a friend. So on the off chance you got a script kiddie that somehow managed to install a php file to create a random user on your system, they would be more likely to make something that said 'SuperKoolz 3lit3z wuz here' on your main webpage, and you could easily repair that).

    So bottomline, don't worry about it.

    - J
    Signature
    Pick a product. Pick ANY product! -> 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
    {{ DiscussionBoard.errors[2647819].message }}
  • Profile picture of the author mystline
    Not sure if anyones mentioned it but you can just set the default role of new members to Subscriber so that they are unable to cause any damage
    {{ DiscussionBoard.errors[2648028].message }}

Trending Topics