I’ve recently received an email asking me to fix some Captcha! vulnerabilities that will allow spammers to enter automated spam comments. Such supposed vulnerabilities where published on a Russian Ukranian blog.

Puzzled about this, I checked those post. One of them claimed Captcha! is vulnerable to CSRF and the other post is about XSS.

Basically, CSRF means you visit an insecure website while logged in into our Wordpress blog. If so, and the site is prepared specifically for you (that is, the hacker knows you’re going to browse him while being logged into xxyyzz.com and your’re the admin of xxyyzz.com) then he could create a malicious page to change your WP configuration (Captcha! included) awaiting for you to browse it.

Using this (rather improbable and really tricky) technique, visiting a hackers site can change Captcha! code length to 0, which disables it: Captcha! won’t check 0-length codes. The sames applies for XSS (the second vulnerability).

Protecting against CSRF

This has been fixed on version 2.6 (now avaliable for download).

For previous versions, the best protection against CSRF is to logout your WP site before browsing an insecure web site. If you tend to check the “Remember me” check box when logging in, don’t use it.

Also use a browser like Firefox with the NoScript! extension installed. This extension will warn you about this kinds of attacks even if you have forgotten to logout your WP blog.

How will this impact me?

You can relax. There’s nothing dangerous to fix, and Captcha! is safe. Simply ugprade to the latest version.

Posted by Boriel as Wordpress, Security at 5.22 pm

Rate This Post:

(1 votes, average: 3 out of 5)

Apart of Captcha!, to fight trackback SPAM I also use Trackback Validator, which works very well but has a little problem however: regardless the trackback is ham or spam, you always get it via email if “mail comments” feature is enabled in your WP panel. So you might end up with your mailbox flooded of spam trackbacks (even though they’re correctly filtered in your blog).

Due to this, I’ve made a little hack to fix this. So only valid trackbacks are mailed to you, not the SPAM ones.

Download it here.

Update: (2007-04-01) It seems I’m not the first one to do something like this. Although it uses another approach (hacking WP directly).

Posted by Boriel as Wordpress at 12.33 am

Rate This Post:

(1 votes, average: 3 out of 5)

I feel a bit like Dr. Gregory House. Now the indexing problem seems to be solved and I don’t know why, I need to find out what caused those symptoms, since they could come back in the near future.

Neither disabling WP-HashCash nor Kramer did work («Put 0.5 mg of Atropine» would said House). It wasn’t that, so what was it? I disabled most plugins in my system and about half an hour later I was indexed («The patient is reacting and everything has come back to normal»).

I’ll keep investigating on it. By now, the previous post was indexed while having the LiveCalendar plugin enabled, so this one is discarded. Today I’ve written after enabling WP-PostRatings. Now lets expect some reaction…

Update: «Of course! How didn’t I realize?» House said.

Examining the plugin WP-PostRatings (the voting stars you see below), I realized the file postratings.php had the following code:

<?php
  217         foreach ($bots_useragent as $bot) {
  218                 if (stristr($useragent, $bot) !== false) {
=>219                         exit();
  220                 }
  221         }

Line #219 terminates the script if an internet bot is reading the page. This function is hooked to the blog main page, thus preventing the bot to read remaining blog. Simply, changing replacing that line with return; fixes the problem:

<?php
  217         foreach ($bots_useragent as $bot) {
  218                 if (stristr($useragent, $bot) !== false) {
=>219                         return;
  220                 }
  221         }

The author has been told about this issue and it will be fixed in the next release.

Posted by Boriel as Wordpress at 10.44 am

Rate This Post:

(24 votes, average: 3.46 out of 5)

As you may already know, last week WordPress version 2.0.3 was released. If fixes up at least a security issue and might speed up the system a bit more. The solved ticket list has more detailed information.

Posted by Boriel as Wordpress at 8.27 pm

Rate This Post:

(2 votes, average: 2 out of 5)

I realized almost by chance, 2 days ago: It seems my web content is not being indexed by Google, nor Technorati, nor MSN Search not Yahoo search. I’ve got a bit alarmed because these last 18 days (since May 20th) this web has not been indexed for the most of search engines…

Since I don’t use robots.txt I only could think either it’s because of a plugin I’ve recently installed or the cause is beyond my control (not directly related to me), but it’s affecting me anyway. I’m suspecting of WP-HashCash plugin I installed the same day I wrote Bye Bye, Captcha!. It was just this day my site stop being indexed (the mentioned post was written just after installing this plugin and has not been indexed either). In fact, WP-HashCash is in charge of getting spam bots away using JavaScript, and I suspect such javascript might be interferring other spider bots in some way.

The other suspected plugin is Kramer which I also installed by that time, though it’s less likely it is the one cousing troubles. I’ve momentarily disabled both to see what happens.

If someone has a clue, please don’t hesitate to tell.

Update: (12:07 - Jun 09th) I’ve disabled almost every plugin in my system and then pinged Technorati (its support service told me their web spiders couldn’t access my site for some reason). It seems I’m now indexed! The problem now is I don’t know thich plugin was causing troubles (supposing it was one of them). :(Will keep investigating…

Posted by Boriel as Internet, Wordpress, Blogosphere at 6.24 pm

Rate This Post:

(3 votes, average: 2.33 out of 5)