https://systemoverlord.com/tags/wordpress.htmlRecent content in Wordpress on System OverlordHugoen-usdavid@systemoverlord.com (David Tomaschik)david@systemoverlord.com (David Tomaschik)Wed, 10 Sep 2014 22:54:52 +0000https://systemoverlord.com/2014/09/10/cve-2014-5204-wordpress-nonce-issues/Wed, 10 Sep 2014 22:54:52 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2014/09/10/cve-2014-5204-wordpress-nonce-issues/<p>Wordpress 3.9.2, released August 6th, contained fixes for two closely related vulnerabilities (CVE-2014-5204) in the way it handles Wordpress nonces (CSRF Tokens, essentially) that I reported to the Wordpress Security Team. I&rsquo;d like to say the delay in my publishing this write-up was to allow people time to patch, but the reality is I&rsquo;ve just been busy and haven&rsquo;t gotten around to this.</p> <p><strong>TL;DR:</strong> Wordpress &lt; 3.9.2 generated nonces in a manner that would allow an attacker to generate valid nonces for other users for a <strong>small</strong> subset of possible actions. Additionally, nonces were compared with <code>==</code>, leading to a timing attack against nonce comparison. (Although this is very difficult to execute.)</p>https://systemoverlord.com/2011/03/23/welcome-back-to-drupal/Wed, 23 Mar 2011 01:21:23 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2011/03/23/welcome-back-to-drupal/<p> Regular readers of my blog may have noticed a significant change.  As of about midnight last night, I had completed the migration of my site from Wordpress 3.1 to Drupal 7.  A few features are not yet implemented, including automatically posting my blog entries to Twitter, but the RSS feeds do work.  Additionally, some of the RSS feed URLs have changed, so please check your feed readers.</p>https://systemoverlord.com/2011/01/23/welcome-to-nginx/Sun, 23 Jan 2011 17:49:21 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2011/01/23/welcome-to-nginx/<p>If you're reading this, it's thanks to Nginx.  As of about midnight last night, all content on SystemOverlord.com is being served up by Nginx.  I did this for two reasons: Nginx has a much smaller memory profile than Apache, which is important when running on a 512MB VPS, and Nginx's preferred PHP path is through a FastCGI interface, which allows me to run separate PHP FastCGIs under different users for each application on my server.  Privilege separation for different webapps has always been a big thing security-wise, and I'm glad I was able to get it going with a minimum of fuss.  <a href="http://wordpress.org">Wordpress</a>, <a href="http://nginx.org">Nginx</a>, <a href="http://mysql.com">MySQL</a>, and <a href="http://ubuntu.com">Ubuntu Server</a> powered, all on a <a href="http://www.linode.com/?r=680a893e24df3597d32f58cd41930e969027dc06">Linode VPS</a>!</p>