WPTavern: WordPress 4.8.3, A Security Release Six Weeks in the Making
WordPress 4.8.3 is available and is a security release for 4.8.2 and all previous versions. This release addresses an issue with $wpdb->prepare() that could lead to a potential SQL injection. While WordPress core is not vulnerable, hardening has been added to prevent plugins and themes from inadvertently causing a vulnerability.
If you’re experiencing a bit of déjà vu, it’s because WordPress 4.8.2 attempted to solve the same problem. According to Anthony Ferrara who reported and disclosed the vulnerability, the patch in 4.8.2 didn’t solve the underlying problem and broke many sites.
Ferrara says he reported the issue immediately after 4.8.2 was released and was ignored by the WordPress security team for several weeks.
“When I got the attention of the team, they wanted to fix a subset of the issue I reported,” he said. “It became clear to me that releasing a partial fix was worse than no fix (for many reasons). So I decided the only way to make the team realize the full extent was to Full Disclosure the issue.”
Full Disclosure is the process of publicly sharing technical details of a vulnerability so that the public knows the same amount of information about it as hackers. The threat of full disclosure is typically used to pressure businesses and software creators to act swiftly and release patches as soon as possible.
On October 26th, Ferrara used his Twitter account to notify the public that WordPress contained a serious SQLi vulnerability and that because he lacked confidence in the team, fully disclosing it was his only option. His message was retweeted 562 times and liked by 484 people.
The amount of publicity his Tweet received had an impact as on October 27th, Ferrara reported that constructive discussions resumed with the team and that he would delay the disclosure until October 31st.
RE: WP Issue: I constructive discussions have resumed with the security team. I will be delaying FD until at earliest the 31st.
— Anthony Ferrara (@ircmaxell) October 27, 2017
On October 27th, Ferrara spoke to a member of the WordPress security team who provided a fresh set of eyes to the problem, “A security team member who hadn’t yet participated in the thread went back to the beginning of the thread and re-read every post,” he said.
“He (correctly I may add) summarized the entirety of the issues, as well as asked a few clarifying questions. He also asked for a little more time but gave me a target of Tuesday, October 31st so it wasn’t wide open. This was the response I was looking for the entire time.”
Both parties collaborated on a patch that fixed the issue and WordPress 4.8.3 was released. Although his experience started out frustrating, Ferrara is hopeful that the team will do better with future reports.
“I get that there are competing priorities,” he said. “But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification. And ask for help. Overall, I hope the WP security team moves forward from this. I do honestly see hope.”
Aaron Campbell, WordPress Security Team Lead, says that although there were some rough patches in working with Ferrara, they were able to work together to get a fix released in the end. While the threat of full disclosure didn’t have a huge impact on getting the vulnerability patched, it may have been the catalyst to get a new person involved in the process.
“A threat of disclosure certainly adds pressure and possibly stress, but doesn’t actually change the overall equation that much.” Campbell said. “An issue isn’t more severe because it’s going to be disclosed, but it can become more rushed (meaning a higher likelihood of mistakes).
In this case, I actually think the threat of disclosure ended up coinciding with one of the people from our security team joining in to help out. The new person was much better at communicating with Anthony, and it really turned things around.”
In the official release post, the WordPress Security Team thanked Ferrara for practicing Responsible Disclosure. This generated some conversation on Twitter on whether responsible disclosure should be renamed to coordinated disclosure.
Stop calling it “responsible disclosure”. It’s “coordinated disclosure”.
— Scott Arciszewski (@CiPHPerCoder) October 31, 2017
“I’m not sure I know what the terminology change would be aiming to accomplish,” Campbell said. “I do see that some places use this particular phrasing, but honestly I don’t see how it conveys anything that’s not already generally understood with responsible disclosure.”
Users are encouraged to update their sites to 4.8.3 as soon as possible. Since this release changes the behavior of esc_sql(), developers are highly encouraged to read this dev note on the Make WordPress Core site.