WordPress 3.3 was released the other day, but the changes within v3.3 had a very serious effect on one website. I am going to show you some images and an example of a website that we assisted with a very serious issue. The website was not one of our clients, nor was it one of our websites. It is a website that we regularly visit and we found a serious issue which I will describe below. However, we will not reveal any details about the website as the company who owns the website naturally does not want to be identified, plus we are the only people who likely know which website this is.
We accessed the website and we were automatically logged into the website. The way their website works is that when you visit their blog from their main site (the main site was created from the ground up, but their blog uses WordPress), the main website sends you to the blog using an oauth method of confirmation. This creates an account within the blog so that you can comment and use the website without registering.
We noticed that they had upgraded as there was now a WordPress bar on the top of each page. We visited their dashboard as I was interested in how they had configured their website. WordPress uses a default dashboard which is not very nice to look at as well as being entirely irrelevant to the site the user is visiting. Some companies will not allow users to access the dashboard, or they will alter the dashboard so that it is relevant to their main website. We prefer to have the users profile and the login pages on our website frontend so that the user is always on our themed website, instead of being taken to the backend of WordPress which can seem confusing if you are not expecting it.
When I saw the dashboard, I saw that all of the sidebar was being displayed. I assumed that it would refuse access to any of the areas that could do the site damage. Just to see, I clicked on one and was given full access to their theme. I clicked on another and was given full access to their plugins. I clicked a few more and saw all of their users and posts. I could not believe what I was seeing. I had full admin access and I had never logged in as an admin. I checked my account and could very clearly see that I was not an admin and I therefore should not have had any admin privileges.
Looking back at the WordPress bar on the post I had been viewing, it was obvious that I had more privileges than I should have had. Notice the “+ post” and “edit post” links in the image below. Both of which should not be showing as my user account should not have been able to add or edit posts.
I checked the welcome section of wordpress where it mentions your username and I could see that I was logged in as the admin. This was insane as it means that any user at all would likely have the same level of access to the blog.
I went to my profile and this indeed confirmed that I was logged in as user 1, the admin of the site.
What damage could this have caused?
Below is a list of things that someone could do to the site if they were evil:
- Delete everything
- Add anything
- Edit anything
- Add viruses
- Steal all user details (names and e-mail addresses)
- The list goes on and on. If you can do it as an admin, you could have done it to this site.
As soon as I saw that the website was at risk, I immediately reported it to the company who own it. Shortly later, I received a long e-mail thanking me for informing them. They immediately acted upon the issue and corrected it.
What was the issue with WordPress 3.3?
The company used a script that took the users login details from their main site and either added it to the wordpress site or logged the user into the wordpress site if there was already an account that had previously been created.
With previous versions of wordpress, it worked fine. It would query the database and the database would reply with the user number for that particular user so that they could be logged into the wordpress site and comment without having to log themselves in.
The problem happened when WordPress was upgraded to 3.3. When a user visited the WordPress site, the database would be queried, but instead of replying with the users ID, it instead would reply with “1″. The plugin dealing with the users would then log the user in using the details obtained from the database. Previously this had always been the users account, but as the upgraded WordPress install was now replying from the database with “1″, it logged the user in as user ID 1, the true admin for the site.
As you can see from the below image, I am logged in as the “admin” and can view all of the users details. I have edited the image to hide personal details such as username and password.
Does this effect all WordPress sites?
Yes, this is an issue with WordPress 3.3. WordPress have already been informed of this issue and informed us and the company that it effected that it would be released as a security update in WordPress 3.3.1
What can you learn?
You should always test new software on a test site. Simply upgrading and running the latest software on a live site can easily cause untold issues just like this one. If you use a test site, you can test all of the features and functions to ensure that they are all working correctly and that there are no serious issues like this.
We will usually create a subdomain called “test”. We then password protect the folder so that no one else can view the test site. We can then run a test of all the software we will be using, making sure that it all works correctly. Once we are happy, we will then apply the updates and changes to the live site. Once again, we will run through the same tests on the live site just to be absolutely sure that there are no issues with the live site.