http://bugzilla.opensuse.org/show_bug.cgi?id=1118065 Bug ID: 1118065 Summary: WordPress 4.9.8 packages have a vulnerability in ownership of files Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Apache Assignee: bnc-team-apache@forge.provo.novell.com Reporter: david@kronlid.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- My web server recently got hacked a couple of days ago: Running WordPress 4.9.8 from "server repo" on OpenSUSE 42.3 with apache 2.4 and php 7.2. These specific files were installed on my system from this location: http://download.opensuse.org/repositories/server:/php:/applications/openSUSE... wordpress-4.9.8-1.1.noarch.rpm wordpress-apache-4.9.8-1.1.noarch.rpm wordpress-plugins-4.9.8-1.1.noarch.rpm wordpress-themes-4.9.8-1.1.noarch.rpm wordpress-themes-collections-4.9.8-1.1.noarch.rpm The hack modified: wp-config.php to point to another external database loading the content of the web page from that database instead akismet.php had a part of code added a file called wp-upd.php was uploaded containing the same code that was added to akismet.php I have installed no other plugins from the internet. I'm wondering if there is something the people doing the wordpress packaging from OpenSUSE side to prevent this type of attack from being done? The protection of wp-config is inefficient as /etc/wordpress/wp-config is owned by wwwrun and this hack used this ownership to be able to overwrite the file with it's own database settings (and while accessing the file it could also read my old settings). My manual prevention for this attack is to make wp-config readable by wwwrun but only writable by root. Maybe almost all wordpress files should be read only by wwwrun as wordpress is a very common target for hackers? I haven't read through all the logs yet, so at time of writing I don't know if the vulnerability used to modify the files was in apache or wordpress or php. But anyhow it can be solved the same way by protecting the files from being overwritten by an attacker by changing the files ownership and rights if the attack was done through apache or wordpress who use wwwrun. -- You are receiving this mail because: You are on the CC list for the bug.