I was at the 2013 WordCamp Boston (#wcbos) event and I remembered that recently I had to go in and start fixing some sites that where running 3.6.  The reason I had to do this was due to them getting hacked and the person taking control over the admin account and modifying one of the theme's php files to advertise this site has been hacked by some jerk.  Don't remember the hackers name nor would I want to advertise it.  So while there I decided to post the question to some developers who also contribute to the core of WordPress from this one company that was one of the sponsors so I felt I could respect their thoughts.

Mind you once I upgraded to 3.6.1 none of the sites that had been hacked were hacked again either due to the security hole being closed up or the hacker not trying again.  I hope it's the first one.  So I posed the question, was the release of 3.6.1 fix what appeared to be a security vulnerability where the hacker was able to change the admins username/email/password?  The answer I got was there is no way that the username can be changed through WordPress.  My initial thought to this answer was, well yea I could do a direct query to the database and change this username.  I mean there are plugins that can do it like Admin username changer.

So I decided to do a little research and according to CVE-2013-4338 it talks about how arbitrary code can be run through a security loop hole.  How within wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. So there has to be a way for a hacker to be able to run a mysql query statement through the code it is able to run within the site.

So even though someone is a respected developer in their own right, they might not know everything .  They should realize that they do not know everything and not say that there is no way for something to be done.  It just frustrated me to hear this person say I have not heard about any vulnerability like this and there is no way for someone to change the admin username within the system like that.  So if someone claims to know everything take a step back and wonder if you really want to continue hearing their thoughts on the subject.  I mean I play pool often, and when I hear someone say they are unbeatable I lose all respect for them as no one is unbeatable.

Share This