New WordPress Hack Inserts Hidden Text
Ruth Kusterer reveals a new WordPress hack that lets spammers put hidden text on WordPress-powered sites. The worst part: the hack works on multiple versions.
Somebody managed to insert a div with spam text into a blog entry’s content (and in one case even into the description meta tag). As opposed to ‘normal’ comment spam (see rel=nofollow), content spam makes it look as if the blogger recommended the link, which (I presume) gives it a higher google ranking.
So why does the blogger not notice the inserted text? The height and width of the div are zero, so the text is hidden. Some feedreaders however preview entries without div styles, so the inserted text is visible in the RSS feed.
By googling for variations of the link text, I found 7 more blogs. Sure, eight is far from a botnet epidemic. Still it’s strange how the same hidden text turns up in the content of eight unrelated blogs. Do they have anything in common?
The eight cases I saw all run on Wordpress, but on different versions.
If you have a wordpress blog, please quickly search the page source for a div with style=’overflow:auto;width:0;height:0; and tell us whether you got one too.
M. Uli Kusterer reports that Peter Hosey has detected traffic spikes in WordPress’ xmlrpc.php file. The hackers could be going through that.
Hidden text can get a site deindexed by Google. This is a big fucking deal.
Update: The second commenter on Ruth’s blog post says upgrading to the latest version of WordPress does not fix the security hole. This is bad.
Tags: Blogging, Security, WordPress
6 opinions for New WordPress Hack Inserts Hidden Text
WordPress Hack Epidemic!
Apr 9, 2008 at 3:31 am
[…] WordPress hidden text exploit I blogged earlier has exploded to epidemic proportions, hitting even big sites like ZDNet. The worst part: […]
Michael Shinn
Apr 24, 2008 at 6:14 pm
I’ve written a modsecurity rule to help prevent this. You can download it (and other rules) from the GotRoot Website, or you can just use this rule:
#Rule 300055: Hidden spam links
#examples:
#
#overflow:auto;width:0;height:0
SecRule REQUEST_BODY|ARGS “< ?font style ?= ?(position ?\: ?absolute|overflow ?\: ?(?:hidden|auto)).*(?:height|width) ?(?:=|\:) ?[0-9] ?(px|\;)” \
“t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:300056,rev:1,severity:2,msg:’Spam: Hidden Text Exploit’”
Mike Abundo
Apr 25, 2008 at 2:11 am
Awesome. Thanks, Michael! :)
Pramudita
May 12, 2008 at 1:55 pm
Michael, how to use that rule for my wordpress blog ?. I can’t install mod_security on server (dreamhost)
Thank You
erdal sahin
May 19, 2008 at 4:40 am
thanks michael for sharing this article
Michael Shinn
May 19, 2008 at 9:42 am
Hmmm… what do if you cant install and your system does not have mod_security installed…
I might be able to tweak this for mod_rewrite. I’ll have to do some experimenting later today to see what can be done with other tools. In the mean time, see if you can encourage your ISP to install mod_security and I’ll see what I can come up with for mod_rewrite.
Have an opinion? Leave a comment: