Wow. Comments below if you want!
Whilst I’m sure (HMRC guy’s name – redacted)’s intentions are good, his facts are wrong, his diagnosis incorrect and his advice is at best misinformed, at worst misleading and incorrect.
I hope this is all reassuring and would be happy to explain/discuss further.
—- Forwarded email in chain —-
Many thanks for this (client contact’s name – redacted).
Re your suppliers response, no, it demonstrates a complete lack of understanding! The article (client’s name – redacted) article they point to is not using the logo that was in use and I don’t quite see what their point is about a Google search for the HMRC logo – it’s utterly irrelevant. So it’s a simple question to them:
It’s not irrelevant.
I can find HMRC logos on any one of a number of sites – e.g. https://www.google.co.uk/search
I can then find one of those images, e.g. http://www.greatergrassmarket.co.uk/files/large/1d7762586980be0
And use it wherever I like, e.g. https://pragmatic.agency/test-2/ (that image is not hosted on our server, it’s ‘hot-linked’ from the original hosting – this is exactly what happened with the original issue this morning).[footnote] I subsequently added a hot-linked image from the HMRC website to that test post, just for lulz[/footnote]
It’s worrying that (HMRC guy’s name – redacted) doesn’t understand how this all works if he’s giving advice out.
If our version of WordPress is not vulnerable to a file upload vulnerability, please explain how this HMRC logo came to be hosted on our service making us vulnerable to its misuse?
“Because an authorised user uploaded it to the WordPress CMS intentionally”
Now of course if you know you were meaning to host this logo then that’s one thing, but I doubt you were
Why is that doubtful? There’s a logo on that post and it seems entirely likely that someone would have uploaded a previous version and then swapped it for the current, sexier one.
, and so how then did it get there? The answer is; it was almost certainly uploaded via a WP vulnerability. I’m afraid WP is notorious for this type of weakness.
Poorly maintained WordPress, yes.
Indeed looking at the Google search they provide I can see an example of the logo you were hosting. And it’s URL…
It was uploaded through the CMS. The logo on that post is now different, but our diagnosis is that the logo was uploaded through the CMS but then later a different version was used – for whatever reason. I can tell that through file modified dates and the fact that different image sizes were produced and the media item was ‘attached’ to that post, neither of which are usually the case with file upload vulnerabilities.
http://(a different site’s domain – redacted).co.uk/wp-content/uploads/2013/08/hmrc-logo.png
Note the path…wp-content/uploads – the same path that ‘your’ copy of the logo was under.
That’s the default WordPress media uploads directory/file structure and doesn’t prove a thing.
Guess what…they too have been ‘hit’ in the same way you were.
I’m afraid you didn’t ‘get unlucky’, someone put this logo on your site for a purpose and if it wasn’t you – which would be my guess – then you have to wonder who it was.
It was a (client’s name) authorised user, I’m pretty certain.
I’d need to know which version of WP you’re on, but you might take a look at the list of current WP vulnerabilities. For instance (and noting your site looks like it was built in 2013):
You’re on the latest version of WP (screenshot attached). You’re also on the WP Engine platform which has a vast array of security precautions in place.
I’m afraid most media companies have little idea of how their favourite tools are regularly subject to compromise and fail to keep up to date with revisions. I’d suspect this is your issue…
You’d suspect wrongly, (HMRC guy’s name – redacted), in this case.
I note they say “to the best of their judgement” you’re not vulnerable. Well it’s simple really; Have they updated you to the most current recommended release? (4.1.1 released 18-Feb-15 by the way)
Yes, we have.
My guess is you are on 3.5 or 3.5.1 based on a 20313 site refresh (guessed form inspection of WordPress versions documentation).
Drupal (an alternative content management system) tend to be more explicit about versions to use (and not use).
WordPress are also very explicit about versions to use and not use.
You might like to point them to http://codex.wordpress.org/Hardening_WordPress#Vulnerabilities_in_WordPress and the advice:
If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
Thanks. I wrote a post about this: https://pragmatic.agency/update-wordpress/
So really they shouldn’t “to the best of their knowledge” think you’re not vulnerable, they should know that you *are* on an up to date version…but my guess is you’re on whatever version they built the site on…
We know that you are on an up to date version. That doesn’t mean that there’s not a plugin vulnerability now, or previously and that this isn’t a file upload vulnerability. But we’re undertaking every best practice security precaution we can and whilst we can’t be 100% sure that there isn’t a vulnerability somewhere, it’s a very diminishing possibility: hence ‘to the best of our knowledge’.