Bad Behavior 2.0.24 has been released. It is a maintenance release and is recommended for all users.
MediaWiki and WordPress users should take note of special upgrade instructions below.
Who should upgrade?
Users targeting the Amazon Kindle or who have readers viewing their sites using the Amazon Kindle should upgrade. Users whose sites are targeted toward smart phones and other wireless devices should also consider upgrading, since Kindle users may be a portion of your audience.
What’s new?
New in this release (since 2.0.23):
- Due to a bug in the Amazon Kindle Basic Web service, Kindle users are unable to browse more than one page of a Bad Behavior-protected site. Amazon has been notified of the problem. This release provides a temporary workaround which will allow Kindle users to view your site.
- One additional email address harvester has been identified and blocked.
Support
If Bad Behavior has helped you, please make a financial contribution toward further development. Your contribution ensures that I can prioritize Bad Behavior development. Otherwise I must spend most of my time on other projects which pay the bills. Which is a shame, because I really enjoy making spammers miserable and drying up their revenue streams until it’s more profitable for them to work at McDonald’s than to send spam.
Download
Download Bad Behavior now!
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
The TTC Tripwire plugin for WordPress intends to notify users of files which have recently been modified. An issue exists where an attacker can trivially bypass this plugin’s check and modify a file without the plugin’s user being notified.
Discussion
This plugin checks the file modification times of all files in a given directory and displays to the user those files whose modification times are within the last n days, where n is selectable by the user. However, the modification time (mtime) is trivial to change using the utime system call (SetFileTime on Windows) or wrappers for this call such as touch. The inode change time (ctime) is more reliable as it cannot be changed to arbitrary values (except on Windows, which uses “creation time” and which can be changed by the user).
While the use of hashes and digital signatures would be more robust in detecting unauthorized changes to files, any warning is preferable to none, when an attacker means to make subtle changes to a Web site which will go unnoticed, such as recently when malicious attackers modified various WordPress web sites to add backlinks to the attackers’ own web sites for commercial gain.
Users of this plugin may falsely believe that files have not changed when they in fact have been altered.
Workaround
Change the occurrences of filemtime in lines 75 and 78 of ttc-tripwire/ttc-tripwire.php to filectime.
Use of Windows as a web server operating system is not recommended. Move to a Unix based server (e.g. Linux, Mac OS X) if possible.
Exploit
One would think something so trivial would not need a demonstration, but based on the plugin author’s response, apparently it does. This demonstration code has been wrapped into a WordPress plugin. The plugin modifies the “Hello Dolly” plugin which ships with WordPress, altering the lyrics that it displays, and preserving the file modification time. Upon activation, the Hello Dolly plugin will be modified, and the TTC Tripwire plugin will not report that it has been modified. The demonstration plugin works on most shared web hosting providers.
(Use of a WordPress plugin is only one of many ways in which an attacker might change files on a web server; it is the method used here solely for the convenience of users who may wish to prove this issue to themselves.)
Vendor Response
The author of the plugin publicly posted details of the issue which were disclosed to her privately and has stated her intention not to fix the plugin.
Not content with merely mishandling the issue from start to finish, the plugin author was also very unfriendly about the whole situation, as the comments she posted on her own blog illustrate. An example follows:
I asked you first thing this morning to leave a comment here, state your case and offer up something better. I encourage public comment.
In truth this person discourages public comment.
You didn’t have to threaten, I encouraged you to go public several hours ago. Which you chose not to do. I even offered to link to a better plugin or what ever you had to offer.
I don’t know what this means; I wrote no threats.
Please, we would all love for you to update Bad Behavior and write a better tripwire program. I write plugins to do what I need that has not yet been done. It is not my main interest. I would much rather just download what I need and not have to write everything myself.
So quit your bloody whining and do something constructive.
What whining?
And this author edited this particular comment to be more hostile than it originally was. At first it merely read: “I write in the hope that people will extend them and improve them. It is my hope that if you can do a better job you will in fact do so and release a better version of my plugin to the public.”
Miscellaneous
I may be using this situation as an example of what not to do when I make a presentation on WordPress security at WordCamp New York next month. Tickets are still available but they’re going fast.
