[wp-testers] Re: Bugs/Fixes, Security Requests

[Otto]

On Tue, Dec 2, 2008 at 9:41 AM, g30rg3_x <g30rg3x at gmail.com> wrote:
> However i must notice that this modifications won't enhance your
> wordpress-based site security, they would make just the exploitation
> of _critical_ vulnerability more hard (but just a little)

I can see that this is a topic that just won't die with you, huh? I
don't really know how to explain this in a way that will be fully
understood here. I've tried before, but it's clearly not getting
through. Let me take one final stab at it: Hiding the version number
will not make the exploitation of a critical vulnerability harder. Not
even a little bit. Really.

Look at it from the point of view of an attacker. There's two possible
scenarios to consider:


Scenario 1: Cracker wants to exploit a lot of sites and stick his spam
on them. This is the most common case.

In this scenario, the cracker gets a big list of vulnerabilities, and
spams them across every site he can find. When one of them strikes
paydirt, the "load" is injected, which then goes and cracks every
piece of software on that server possible. You see this a lot on
shared hosting setups, once the exploit is performed, a script is
loaded which searches all possible injection points on that server and
writes his spam into everywhere it can find to do so. This infects
many more sites on that server with the link spam, and causes
potentially hundreds of sites to now have links back to the spammer's
stuff.

This is a common case because it's an easy one. Software exists to do
exactly this sort of thing. Vulnerabilites are circulated in
plug-and-play forms for these specific types of software.
Exploits/injections are pluggable as well, and can be easily adapted
to any spam you want to use. In literally a matter of minutes, with
zero code being written by the attacker, somebody can create a system
using nothing but plug and play modules that will attempt to exploit
hundreds of known vulnerabilities on a list of millions of websites,
and it can even run on a distributed system (botnet). All it requires
is money and a lack of morals.

Note that NONE of this involves ever caring what version of the
WordPress software you are running. Indeed, they don't even care that
you are running WordPress. It's simply one of the many different
packages with exploits coded into their exploit-pack. Indeed, checking
your version before attempting to exploit you doesn't really save them
anything. Time, perhaps, but only slightly, and only if the software
is smart enough to care (95% of these softwares are not, they just
spam a series of hacks and check for success/failure).


Scenario 2: Somebody with a revenge fixation decides they want to hack
you, specifically.

In this scenario, they can quickly tell that you're running WordPress.
a) Assuming you're not hiding your version, then they look for
exploits for that version.
b) Assuming you're running the latest version, then they won't find
any and you're safe.
c) Assuming they're slightly smarter than that, they do some
easy-to-do searches, find exploitable software running on other
websites, but on the same shared host as you, and hack you that way.
d) Failing all this, they stamp their feet and give up.

Now, in your situation, you want to hide the version of WordPress.
This stops them from looking for specific exploits. However, a list of
generic WordPress exploits for several versions *is just as good to
them*. They can sit there and try half a dozen exploits, no problem.
It doesn't take them any more time, really. Just a few extra HTTP
requests. If they don't know how to do this sort of thing themselves,
then they download a bunch of script kiddie hacks and run them all,
hoping that one hits. The point being that they are not significantly
slowed by this sort of preventative medicine. And anyway, assuming
you're running the latest version and therefore "safe", it makes no
difference anyway.


Now, you might be considering scenario 3: Zero-day exploits. An
exploit is discovered against the latest version, so there is a
limited amount of time to exploit it before it is patched. Having your
version hidden means you don't show up in searched for that version.
Problem with that sort of thinking is that they're not searching for
sites with a specific version. They just keep a single list of known
websites for that sort of thing. When a zero-day is discovered, they
spam it across to all of them. *Searching takes too much time*. It's
easier to simply keep a list of a whole crapload of sites, then spam
them all. And version checking is not done here either, because it's
faster to attempt the hack than it is to a) check for vulnerability
and then b) attempt the hack. Trying the hack takes the same time as
checking for the version number, so why bother? Makes no sense.


Hiding the version is simply ineffective, in all respects. It does
nothing that is even slightly helpful for your site. It deters nobody.

-Otto