[wp-testers] Re: Bugs/Fixes, Security Requests

g30rg3_x g30rg3x at gmail.com
Wed Dec 3 02:03:01 GMT 2008 

Hi again,

First of all, i don't like the way this discussion is going so i won't
reply directly to your comment.

Second, this is the normal security through obscurity discussion and
from previous attempt to you promote this, i know that this won't
happen ever... the real final stab i get it at the ticket #7545, this
was my last (final) attempt to promote it.

Third, you are considering the "script kiddie" / "spammer" scenarios,
not the real ones which involves real crackers not just people taking
exploits from milw0rm.com and spamming all over the web.
There are some scenarios, which involves particular use of sensitive
information (like the version of the product and username) but they
are limited to a lot of variables and sometimes they play a minor role
over the intrusion, so even that your 3 scenarios are right, there are
scenarios were sensitive information are used are still there, just
that they play such a little/minor role in the intrusion that are
often underestimated

Summarizing...
i didn't say they play a "higher" role on your "harder" security
infrastructure, they play a little/minor/nano role and also we are not
only discussing enumeration of version (here) this type of
vulnerabilities are actually enrolled with full path disclosure and
username enumeration, there are tactics to avoid disclosing this
information so really man, if you don't want to see it as security
then don't see it as security see it as privacy... i don't want people
to easily get this information just as you don't want spammers to get
your email address (crappy comparison but reflects my point).

Best Regards Otto.

2008/12/2 Otto <otto at ottodestruct.com>:
> On Tue, Dec 2, 2008 at 9:41 AM, g30rg3_x <g30rg3x at gmail.com> wrote:
>> However i must notice that this modifications won't enhance your
>> wordpress-based site security, they would make just the exploitation
>> of _critical_ vulnerability more hard (but just a little)
>
> I can see that this is a topic that just won't die with you, huh? I
> don't really know how to explain this in a way that will be fully
> understood here. I've tried before, but it's clearly not getting
> through. Let me take one final stab at it: Hiding the version number
> will not make the exploitation of a critical vulnerability harder. Not
> even a little bit. Really.
>
> Look at it from the point of view of an attacker. There's two possible
> scenarios to consider:
>
>
> Scenario 1: Cracker wants to exploit a lot of sites and stick his spam
> on them. This is the most common case.
>
> In this scenario, the cracker gets a big list of vulnerabilities, and
> spams them across every site he can find. When one of them strikes
> paydirt, the "load" is injected, which then goes and cracks every
> piece of software on that server possible. You see this a lot on
> shared hosting setups, once the exploit is performed, a script is
> loaded which searches all possible injection points on that server and
> writes his spam into everywhere it can find to do so. This infects
> many more sites on that server with the link spam, and causes
> potentially hundreds of sites to now have links back to the spammer's
> stuff.
>
> This is a common case because it's an easy one. Software exists to do
> exactly this sort of thing. Vulnerabilites are circulated in
> plug-and-play forms for these specific types of software.
> Exploits/injections are pluggable as well, and can be easily adapted
> to any spam you want to use. In literally a matter of minutes, with
> zero code being written by the attacker, somebody can create a system
> using nothing but plug and play modules that will attempt to exploit
> hundreds of known vulnerabilities on a list of millions of websites,
> and it can even run on a distributed system (botnet). All it requires
> is money and a lack of morals.
>
> Note that NONE of this involves ever caring what version of the
> WordPress software you are running. Indeed, they don't even care that
> you are running WordPress. It's simply one of the many different
> packages with exploits coded into their exploit-pack. Indeed, checking
> your version before attempting to exploit you doesn't really save them
> anything. Time, perhaps, but only slightly, and only if the software
> is smart enough to care (95% of these softwares are not, they just
> spam a series of hacks and check for success/failure).
>
>
> Scenario 2: Somebody with a revenge fixation decides they want to hack
> you, specifically.
>
> In this scenario, they can quickly tell that you're running WordPress.
> a) Assuming you're not hiding your version, then they look for
> exploits for that version.
> b) Assuming you're running the latest version, then they won't find
> any and you're safe.
> c) Assuming they're slightly smarter than that, they do some
> easy-to-do searches, find exploitable software running on other
> websites, but on the same shared host as you, and hack you that way.
> d) Failing all this, they stamp their feet and give up.
>
> Now, in your situation, you want to hide the version of WordPress.
> This stops them from looking for specific exploits. However, a list of
> generic WordPress exploits for several versions *is just as good to
> them*. They can sit there and try half a dozen exploits, no problem.
> It doesn't take them any more time, really. Just a few extra HTTP
> requests. If they don't know how to do this sort of thing themselves,
> then they download a bunch of script kiddie hacks and run them all,
> hoping that one hits. The point being that they are not significantly
> slowed by this sort of preventative medicine. And anyway, assuming
> you're running the latest version and therefore "safe", it makes no
> difference anyway.
>
>
> Now, you might be considering scenario 3: Zero-day exploits. An
> exploit is discovered against the latest version, so there is a
> limited amount of time to exploit it before it is patched. Having your
> version hidden means you don't show up in searched for that version.
> Problem with that sort of thinking is that they're not searching for
> sites with a specific version. They just keep a single list of known
> websites for that sort of thing. When a zero-day is discovered, they
> spam it across to all of them. *Searching takes too much time*. It's
> easier to simply keep a list of a whole crapload of sites, then spam
> them all. And version checking is not done here either, because it's
> faster to attempt the hack than it is to a) check for vulnerability
> and then b) attempt the hack. Trying the hack takes the same time as
> checking for the version number, so why bother? Makes no sense.
>
>
> Hiding the version is simply ineffective, in all respects. It does
> nothing that is even slightly helpful for your site. It deters nobody.
>
> -Otto
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>



-- 
_________________________
             g30rg3_x

More information about the wp-testers mailing list