Shellshock vulnerability check for WordPress

A serious Bash vulnerability has been discovered on Wednesday (first public mention of it seems to be this post on seclist continuing here with more details). This allows an attacker to execute any code on a vulnerable server. This is even more serious than the heartbleed vulnerability that swept through the Internet couple of months ago.

This is not a WordPress vulnerability, but a server vulnerability. It threatens to become one of the most widespread and dangerous exploits with serious security implications (it received both Impact and Exploitability scores of 10/10). If you have a server, own/manage websites or use a Mac – read on.

Do you have vulnerable bash?

There are several ways you can test.

(Update: ManageWP WordPress plugin and ManageWP code snippet now test for both disclosed shellshock vulnerabilities CVE-2014-6271 and CVE-2014-7169 )

1. Use Shellshock check WordPress plugin

ManageWP released a WordPress plugin that checks if your server has vulnerable version of bash installed.

Download Shellshock check WordPress plugin

To use it, just install the plugin and click Run test.

Sheelshock Vulnerability check WordPress plugin

2. With ManageWP

If you own/manage multiple sites, we have published a code snippet which allows you to check all your websites with a click of the button.

Access it through Tools -> Code Snippets (available to Professional and Business plan users, as well as trial users). Scroll to public snippets and locate ‘Shellshock vulnerability check’ then click Load.

Load Shellshock test snippet
Load Shellshock test snippet

This is what the snippet looks like.

Shellshock test snippet
Shellshock test snippet

Select sites you want to check for vulnerability and click Execute. You will get a response that will look like this.

Results

Note that if a server is vulnerable, all sites on the server will report vulnerability.

3. If you have admin access to your server

If you have shell access to your server you can run this code.

 env x='() { :;}; echo VULNERABLE' bash -c 'echo hello'

If you see the string VULNERABLE in the output your bash is vulnerable.

How does Shellshock work?

This is the official explanation on NIST:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Specific examples of how to use the exploit are already plentiful and include scripts that detect vulnerable servers and access the password file, basically possibilities are endless.

What can you do?

If you have access to your server simply update bash via

yum update bash

or

apt-get install --only-upgrade bash

If you do not have access then you need to contact your server/hosting support and point them to this post, they will know what to do.

Shellshock also affects Macs. Useful information for Mac users can be found here.

For more detailed analysis of the exploit see here.

We will follow the proceedings of the event and update you with the most important information accordingly.

Vladimir Prelovac

Vladimir is the Founder of ManageWP, and is a frequent contributor to the WordPress community - in the form of numerous plug-ins, tools, WordCamp talks and a book by the title WordPress Plugin Development.

25 Comments

  1. Mike

    Great Post. I personally used the Unix code to check for the vulnerability and patched it using Yum. Really simple to do.

    If you’re using WordPress hosting or a managed hosting service, it should be your host which checks for this, and not you. Get what you pay for and demand patching.

  2. jjsararas

    Wow this is really great. Another ‘5 minutes instead of 2 hours’ moment. Thanks for being so on top of this Vlad and team, instills even more confidence.

  3. Jacqueline Hill

    OMG I didn’t think it was possible butI love ManageWP even more now

  4. francois

    Thank you for the heads-up and the service of the plugins/code ! Much appreciated.

  5. Zak Cagaros

    Have any websites been compromised with this vulnerability?

  6. ManageWP

    The WordPress plugin is now hosted at the WordPress.org repository https://wordpress.org/plugins/shellshock-check/

  7. ttownsend

    As a long time PAYING customer…I too am disappointed you are not providing access to this TOOL for a SECURITY issue of this magnitude. Pretty poor excuse here “advanced in nature and may cause more requests to our support team”. The reason many are using the Standard Plan has NOTHING to do with expertise. Try again !!

    1. ManageWP

      Unfortunately changing the way account privileges and entire application works is not switching a button. I hope you understand. We do care about the entire WordPress community and that is why we also released a free WordPress plugin which does the same check.

    2. clayasbury

      This is a professional courtesy above and beyond ManageWP’s TOS and what most vendors are doing – even those in the hosting and security space.

  8. alvin.caoyonan

    Thanks guys. Vulnerability check was quick and easy.

  9. loris

    Thank you for this!! Another great reason for being your customer 🙂

    1. ManageWP

      Thanks Loris!

  10. lauraldunkley

    Thank-you! It worked. You guys make it so easy to manage multiple websites.

    1. ManageWP

      Thanks Laura, glad to be of help 🙂

  11. Not Enter

    Thanks been nice expression.

  12. cliff

    Terrific service. Thank you, ManageWP!

  13. rjdougan

    I am getting a false positive per one of my hosts. I contacted the host after the plugin scan state the server was vulnerable. They have advised me that that patch has been installed. Is anyone else getting a false positive on a server still being vulnerable?

  14. SusanMarshallVA.com

    In ManageWP, there is an option to Make it public. Can you tell me what is being made public and to who?

    Also, for those sites identified as Vulnerable, what should I be asking of the respective web hosting companies?

    1. Vladimir Prelovac

      You should not do anything else but to point your host to this post.

  15. Mikhail Levin

    It would be very NICE, if that “Tools/Code Snippet” was enabled for the subscribers of the Standard Plan too. Even to a Free subscribers…

    With high critical nature of this issue it would be very useful to have ManageWP’s help identifying the vulnerability for all subscribers, not only those who pay more money.

    Without it the value of the Standard Plan appears less appealing. And free subscribers will be cut off too.

    As with a case with a Backup tool – the quality of your service is much more valuable than a quantity.

    Thanks.

    1. ManageWP

      Thanks for the suggestion. It is something we may consider, the Code Snippet tool has always been a part of the Professional plan as it is advanced in nature and may cause more requests to our support team (especially if we opened it to free users). It is always a matter of balance. Note that we also released a plugin which allows everyone (not just ManageWP customers) to check for vulnerability.

      1. duane.stevens

        Only instructions for Plug-in is to “run test.” Where? I’ve installed and activated. Where do I look to run the test?

        1. duane.stevens

          Settings | Shellshock

  16. Dave Clements

    It seems that your shell commands (and thus, probably your WordPress plugin) only consider the initial exploit, CVE-2014-6271 and not the second one that was uncovered yesterday, CVE-2014-7169. You might want to look at shellshocker dot net for the latest information on what the exploits are and how to patch them.

    1. ManageWP

      Thanks Dave! We will take a look into this and update accordingly.

      Update: both vulnerabilities are now being checked against!

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!



Have questions? Get in touch!