Initial commit: HPR Knowledge Base MCP Server
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
305
hpr_transcripts/hpr0526.txt
Normal file
305
hpr_transcripts/hpr0526.txt
Normal file
@@ -0,0 +1,305 @@
|
||||
Episode: 526
|
||||
Title: HPR0526: Interview with a whitehat
|
||||
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0526/hpr0526.mp3
|
||||
Transcribed: 2025-10-07 22:29:20
|
||||
|
||||
---
|
||||
|
||||
Let's have a look.
|
||||
Hello and welcome podcast listeners, to Hacker Public Radio, I'm your host Fenix and I'm
|
||||
joined tonight with fellow HPR host and new boy Tom McKenzie. Tom has been running
|
||||
the recent series of interviews with Blackhats, which has had to make some reviews but
|
||||
the latest episode has left everyone thirsty for more and on February the 13th, Tom released
|
||||
an advisory with regards to a book. He also released a brief of concept for a bug that
|
||||
he found in WordPress versions 2.9 and 2.91 and was later patched in version 2.92. So
|
||||
without delay, welcome to today's guest, Tom McKenzie, hi Tom, how are you doing?
|
||||
Yeah I'm doing good, Fenix, glad to be being interviewed by you, can follow us to the
|
||||
bottom a little bit of up. If anyone, if any of the Hacker Public Radio
|
||||
listeners are on aware, Tom and I podcast together on another podcast, we released the
|
||||
shows on Hacker Public Radio as well but we're here, both podcasts and our podcast
|
||||
called Trackset. So yeah, I know Tom a little bit and I heard about what was going on at
|
||||
the time and Tom approached me, sorry I interesting getting the news about this this advisory
|
||||
out. Tom, I think probably the easiest thing to do, I think to start off with should probably
|
||||
get yourself to introduce yourself to the Hacker Public Radio listeners that might not have
|
||||
time to cross you before. Yeah, that's fine, so I'm Thomas McKenzie, and my
|
||||
screen name is Team at QK. I currently studying at Northumbria University at School Hacking
|
||||
for Computer Security, so I'm in the first year. I have been involved within, well I've been
|
||||
involved with computers since the age of 11, 12 and my dad's a big fan of, well he was a big
|
||||
fan of binary coding, so I've been brought up around with that for a while and I built my
|
||||
own computer when I was younger and then as I got into GCSEs I was interested in website building
|
||||
and from there I went into web applications and that's where really like my love of security
|
||||
came from, I'd say that I'm quite well, I'm quite well versed in web applications stuff and
|
||||
currently just actually received a job for London Storm doing some web up testing, some network
|
||||
penetration testing and yeah that's pretty much it, I mean I'm just regular 18 year old student
|
||||
likes growing out to the pub and likes learning at uni. And Tom the, I suppose the next question
|
||||
for me is, could you in layman's terms describe the bug that you found in there? At the time that
|
||||
you released this I'm writing thinking that this was the the the the prescribed version of WordPress
|
||||
that up to date version 2.9.1 I think it was at the time problem was in 2.9. Could you, because
|
||||
I'm aware that many people on HPR probably run some versions of WordPress blog quite about
|
||||
the current electronic community and might not come across this this report, but could you
|
||||
kind of in layman's terms explain exactly what the bug was that you found?
|
||||
Yeah well what I'll do is I'll just explain how I came about it because that's probably the
|
||||
easiest way to do it. Yeah sure. And the first, your first of all after he was is that
|
||||
I have a person on my blog at the moment called DAC Otter and he's currently doing a
|
||||
guest series on cryptography and what I did is I created an account on my WordPress so that he
|
||||
could upload them and what he does is he does draft copies and has them so that they're published
|
||||
in the future so like at the end of the week so that I can check them before they go live.
|
||||
Now I was sat in C Pro running at university when I got an alert saying that he posted one
|
||||
and I checked it and as I checked it I looked at the it's called Permilinks in WordPress and it's
|
||||
basically just like the URL and how the post is posted to the website and how it is shown in the URL
|
||||
and it's like question mark P calls and then the number. I grabbed that and I put it into
|
||||
I put it in the URL bar. Fairly in mind obviously this was a draft post at the time it actually
|
||||
came within the title, the title of the post. So I played around with it and I did happy new year
|
||||
2011 and anybody could see that as well. So from there I got a bit excited thinking you know
|
||||
ebay, PlayStation, they all use it and imagine if you saw an announced PlayStation 4 or whatever
|
||||
our famous you would be. So I went about researching a bit further into it. I got a bit further
|
||||
and what Apple was is that the actual title book was part of the theme that I was running called
|
||||
Pixel. I fixed that and got into it with the creator and the updated version of the theme. So
|
||||
in actual fact I found two books one within the theme and one within the actual WordPress.
|
||||
I went a bit further into it and I figured out that you can basically view trashed posts
|
||||
by doing the exact same URL manipulation, URL traversing I think it's called. Basically in 2.9
|
||||
WordPress incorporated a new feature called trash which is pretty much the same as Windows
|
||||
and Microsoft's recycling bin. What it does is it doesn't delete the post it just puts it into
|
||||
an allocated space and what that means basically you are able to still see the post when it's trashed.
|
||||
So what it does is it doesn't just bring it in the title it actually shows the full deleted post
|
||||
and I had a few posts that I was drafting and I thought nah you know that's a bit dodgy I may not
|
||||
post that or you know I haven't got permission from whoever so I deleted it without realizing that
|
||||
you know some of the that you could do a draft you could view them. So along with Ryan Jewhurst
|
||||
we wrote a proof of concept which searched through each URL and found these posts and you could
|
||||
view them on any WordPress version no matter which type of perm link they were running. So any
|
||||
blog with any trashed post was vulnerable to the attack really that's the layman's terms that's
|
||||
quite long. Tom let me get this right we write a blog post about something we save it in the drafts
|
||||
then we decide we're not going to post this for whatever reason and we delete it and yet you've
|
||||
written a proof of concept code that will enable good guys and bad guys to to to enumerate the
|
||||
the the possible URL variations and retrieve what's in the trash is that that's that's right yeah
|
||||
I mean that that's right yeah I mean not you you mentioned draft post not just draft post if you
|
||||
posted anything as well and then decided now delete that or someone got into a tree and said
|
||||
this was wrong or whatever and you deleted it doesn't get deleted it gets put into the trash so
|
||||
basically this no matter how how the post was published or if it wasn't published when you click
|
||||
the trash button then anyone can view it as if it was a normal post. Okay and I'm writing saying that
|
||||
this is not an unauthorized user error and this is not to say that that basically it's not a random
|
||||
robot that can do it that you actually have to have an account to log on be a subscriber someone
|
||||
able to account but you do have to be authenticated that's right yeah I mean most
|
||||
most themes actually don't have a link to register on people's blogs but a lot of people don't
|
||||
realize is that within the admin panel of WordPress there is a button or an option to turn registration
|
||||
off but what a lot of people didn't do is they didn't actually you did do that a lot of people
|
||||
because obviously it's quite easy to use a lot of people just you know change the theme or
|
||||
got rid of that part and just start yeah I'm safe but as long as you put wp hyphen register
|
||||
dot php after the url and and most sites you can register you can register on the site and run
|
||||
the script that you can find on my website okay so okay I think what would be really good at
|
||||
this point is maybe to talk through the steps that you did to actually prove the vulnerability
|
||||
okay yeah that's cool and you've got a bit complicated because obviously I mentioned before
|
||||
about the theme and that kind of like threw me off course a bit because I thought well I found
|
||||
this book on though maybe I haven't it's the theme and then well maybe there is a book there
|
||||
and I got in touch with you and you gave me some advice and Ryan gave me a bit of advice
|
||||
as well and gave me a lot of help and my guy off the course called Matthew Hughes gave me some help
|
||||
and also did you ninja he gave me a hand as well in proxy yeah Ryan got in touch with him he's
|
||||
in the proof of concept but basically I went about download in the old versions so I got 2.8.6
|
||||
and I got 2.9 and 2.9.1 and I put the new virtual machines and I also put them in
|
||||
used xamp to basically put them on my local machine and I did the same test over and over on each
|
||||
one and I think I've got about 50 screenshots on my computer just documenting what I did
|
||||
I then got in touch with Ryan we wrote the advisory together
|
||||
and I went to go basically WordPress has this book system called Track and I went on there
|
||||
and I searched for the book how I would explain it I mean on my website if you through it's on
|
||||
the website it's name it a failure to restrict URL access and we got that like name from from
|
||||
old wasp, old wasp has a similar vulnerability for something else and we basically got the title
|
||||
from that so when I was searching track I was searching for you know failure to restrict URL
|
||||
access or URL manipulation or enumeration and I didn't find anything so I thought well you know
|
||||
I must have found this book so I tried going on tracking you know putting it up but there's
|
||||
too many rules and regulations and to be honest like I just wanted to get it fixed so I emailed
|
||||
security at WordPress dog and within an hour I got a reply from Ryan then
|
||||
I got a reply and he basically told me I said will this fix it gave me a bit of code
|
||||
tried out and said yeah that fixes it and what it basically did is there's already some pre-defined
|
||||
code that says if it's in spam or if it's in the deleted folder or if it's in this folder
|
||||
or whatever you can't view it and all he did was just moved trash up into the same
|
||||
into the same part of the code there was a simple fix but obviously for some big companies
|
||||
that were used WordPress there may be something in the trash that they don't want other companies to
|
||||
see yeah if they're not keeping up to date with their advisories or their update policies
|
||||
then they could still be vulnerable to it yeah I mean from there basically what I did is
|
||||
you all got fixed a release the advisory and yeah when I went about my day got I was trying to
|
||||
hit some of my website a lot of Google hits and that was pretty much about it really and then
|
||||
you're going to ask me now about the the bus that came from it yeah I mean having some inside
|
||||
of knowledge on the podcast does help yeah there's no there's no easy way of saying I believe a
|
||||
couple of days afterwards they got raised to your attention that this wasn't a freshly discovered
|
||||
vulnerability all that you were probably the first one from what I understand by the looks of
|
||||
that you're the first one to recognize it as actually a security vulnerability it seems that
|
||||
this bug was discovered previously and reported to WordPress you didn't do anything that's correct
|
||||
isn't it but I think you were the first one to do to apply it in a hacking context and say
|
||||
actually this is rather not a bug but rather a vulnerability that it could be exploited
|
||||
yeah I mean then I'll mention the guy's name because at the end of the day you know this guy
|
||||
this guy found it first so Caesar's grunt he's called he found a vulnerability and reported it
|
||||
oh well he found a bug and reported it on track and from track you put it as like a medium like a
|
||||
medium bug but as soon as it went on there it got moved straight down to low it wasn't considered
|
||||
the only reason I can I can think why WordPress didn't do anything about it or it was it was
|
||||
shunted to the back of a long queue is that if you look if you look on track it isn't explained
|
||||
very well like all he says is he basically mentions trash he mentions about being able to see
|
||||
some posts but he doesn't he don't go into detail he posts once and then that's it and then
|
||||
somebody else tries to back him up so I think when I like I said when I searched track
|
||||
I was looking for specific things I was looking for what I called what I called the air
|
||||
what I called it so you know like I was looking for failure to restrict URL access
|
||||
enumeration URL traversing then types of things and that's why I didn't find it and like you say it
|
||||
came it came to my attention in quite a it was quite strong really the blog post that was on it
|
||||
and I have received a few comments on my website which I haven't published that have been
|
||||
quite offensive saying that you know I've stalled the idea or this isn't anything to do with me
|
||||
you just got all the credit for it and well if that's what they want to think then that's fair enough
|
||||
but I know you know and I know that Ryan Jewish knows and I know quite a lot of people on my course
|
||||
know that I put hours into you know trying to prove this and actually liking any advisor do you know
|
||||
I mean I mean in your in your defense I you know I spoke to you at the time about what I believe
|
||||
to be an appropriate testing mechanism for doing this so just in my opinion I mean I read the
|
||||
blog post just recently I thought it was a tight judgmental about lots of things it didn't really
|
||||
take into account that yes okay this issue was reported it was reported in my opinion but bearing
|
||||
in mind I'm a security guy so I tend to look at these things this way that it was reported in a
|
||||
true developer's way of reporting problems that this is the problem with the code and this does this
|
||||
and there was no for me there was no if you'd have looked at that you wouldn't have thought my
|
||||
godness of vulnerability here your points absolutely right that a company could have could have had
|
||||
data being released leaked for for quite a while now while this books are in in track for for
|
||||
three what is it there three or four months or something three three months yeah that's right yeah
|
||||
yeah I mean I thought yeah I thought it was particularly harsh and in your defense I was
|
||||
definitely coming up and joining jump yeah I mean what are you supposed to do it I mean you draw
|
||||
assembly to the Dan Kaminsky and and Moxie Marlon Spike found the null prefix SSL attack round
|
||||
about the same time independently researchers do this all the time it's not it's not nothing new
|
||||
I certainly wouldn't be questioning someone's honesty I mean this is
|
||||
yeah that's what came across I mean yeah the thing the thing that I will say in the defense of the
|
||||
blog post is that it was very well-argumented and the the guy I mean I've spoke to him since and
|
||||
there's been no apologies or anything because there hasn't needed to be because the posters very much
|
||||
argumented in the way that well maybe Thomas McKenzie did this and didn't you know didn't check
|
||||
or didn't do this or do this or maybe the you know WordPress didn't do this or didn't do this or
|
||||
maybe the original finder didn't do this didn't do this it was very argumented but in in in every case
|
||||
it was really strong so if any of the people so if I'd read it if WordPress had read it if you
|
||||
know if Caesar's grunted reddit he might have any of us might have felt upset about what this guy
|
||||
posted I mean the only problem the only the only reason obviously that I am I seem to have come
|
||||
out of it well I think I've come out of it good you know I mean but in the same time the same
|
||||
the same time you know like to say I've had a lot of comments a lot of negative comments as well
|
||||
so I think the only reason is because I am getting I am getting the credit for it and to be fair
|
||||
I know I understand I mean I'm now going to jump to the other side of the fence you
|
||||
front what front page news on the WordPress developers blog with this where you're not yeah
|
||||
no I'm not just not just on the developers blog I was on the front page of WordPress
|
||||
my name if you type it into Google has gone up to number three and considering that there
|
||||
was a prime minister called Thomas McKenzie it's a very you know it's that's quite good to really
|
||||
Tommy I just I didn't come how you can draw draw similarly between yourself and a prime minister now
|
||||
I mean in defense of the dude that he raised some interesting questions but for me I'm going to
|
||||
do this as a security dude I think you did this appropriately and did it in a right way
|
||||
how you came about it this is the lesson this is the lesson that is very very important and I'm
|
||||
quite sure that you're back this up you need to document everything you do when you discover
|
||||
a vulnerability or a bug you need to you need to take care I've been just been reading the book called
|
||||
Cook who's asked by a guy called Clifford Stoll who does uh who who was involved in in computer
|
||||
security but be a long long time ago he was uh he's an old physicist and basically what he says is
|
||||
in physicist circles you know if you don't write if you don't document it never happened and for
|
||||
you it was probably very very handy to have a ton of actual proof that you went through these
|
||||
processes and independently discovered this book um then the screen shots your documentation
|
||||
your actual honesty integrity even though it should never have been questioned even if it was
|
||||
questioned that you actually said know up here's the evidence here's the proof that I actually
|
||||
did my work and I found it and I certainly am not guilty of stealing anything um yeah which is
|
||||
the the lesson that I think is is incredibly important to take out of this apart from as well
|
||||
that if you don't publicize vulnerabilities they don't get patched because you know credit where
|
||||
credits do your proof of concept was the one that word price quoted and got if I'm correct to fix
|
||||
out pretty quickly was it not within like three or four days or something it was it was within
|
||||
two days yeah me well I had the unofficial either unofficial patch that they actually incorporated
|
||||
into the into the official 2.92 within the hour so and I posted that straight on my website
|
||||
I as soon as um as soon as they sent me the the code that fixed the vulnerability because that's
|
||||
all it was it was just just another former sanitization um I as soon as I got I put it on my website
|
||||
and uh that that was that that was you know people people's wordpresses were getting fixed
|
||||
which you know props yeah what would you you know the fluffy question next what would you do
|
||||
differently definitely um I'd probably take a lot more time finding out if it had been if it had
|
||||
spoke about before or found out about before um I'd also as well hurt of
|
||||
worked a lot harder in distinguishing the differences between the bug that I found in the theme
|
||||
and the bug that I found within wordpress itself because that that really did put me off guard um
|
||||
and it really did knock me for six just basically because I thought at first I found a wordpress
|
||||
and then figured out I hadn't and then kind of thought that I did and then I thought I hadn't and then
|
||||
I did and it took a lot I mean I can't remember when I spoke to you about it but I probably did
|
||||
sit on it with it for a good for a good two good two weeks just thinking about what I can do to
|
||||
document it what I can do to test it and I do remember ringing you and saying look I've I've got
|
||||
this and I am struggling a bit can you give us an hand and you did point me in the right direction
|
||||
with that and like say Ryan did give me a hand and Matthew used off my course gave me a hand with
|
||||
it as well so um it was the biggest thing that I would do is probably just try and try and um
|
||||
differentiate between the two bugs yeah I mean if I'm correct and and and remember why I said to
|
||||
us was basically what you need to do is set up a number of test cases with themes with randomly
|
||||
selected themes as well and so on and so forth it was just trying to lay out a scientific
|
||||
proof of that that we took a random selection of themes and you know we made it work on one and
|
||||
that was it was able to just partition where the the error itself lies I understand that
|
||||
this is very very different web applications or it'll maybe in some ways web applications are
|
||||
sometimes a little bit harder to to actually diagnose exactly what's going on because
|
||||
they're basically multi-tiered services when we boil down to it um yeah so
|
||||
everyone you the advice now the countermeasures to this is to update to 2.92 or or or keep it to
|
||||
2.8.9 then 2.8.6 yeah I mean it's funny really because I've got obviously I like to say I've
|
||||
got a lot of publicity about it and I've had a few job offers um I've got a few job offers on
|
||||
from from people and from companies and I've had an interestingly I've had that I've had
|
||||
nothing from somebody who wants me to test um to test their WordPress blog and I've been doing it
|
||||
have come across a few things that they've inputted themselves on their own theme that you know
|
||||
were a problem but the biggest the biggest thing is is they allow registration on the blog
|
||||
as well as running the old version so the first thing I did was use the proof concept that me and
|
||||
Ryan wrote and I numerated all the trash posts at the app so I would definitely agree that you
|
||||
need to update um needs to update WordPress. I thankfully did the link for me next
|
||||
what happened to you last week it's probably the easiest way of putting it on but on top of it you
|
||||
joined a friend of Hucka Public Radio in Tracksack, Ryan Duhurster at random storm
|
||||
um due to the work that you you'd found here um so I believe first and foremost congratulations
|
||||
um so what will you be doing for for random storm?
|
||||
um I I will be undergoing some training on network penetration testing and the reason for that is
|
||||
because I can drive and obviously my holidays are coming up soon so I've got the summer coming up
|
||||
and they want me to get get me on site so I'll be undergoing training for that and first and
|
||||
foremost I'll be working alongside Ryan and also on my own and doing web application testing
|
||||
and yeah that's basically it has been offered a contract which um it gives me a
|
||||
part-time work and then also as the holidays come and um as the holidays come I will get some more
|
||||
hours and can work can work a bit more and I can also obviously hopefully if it all goes well
|
||||
other I've also got a placement for my third year and hopefully you know a job.
|
||||
um Tom in in rock and up what do you what what what what is your advice to people that
|
||||
find a vulnerability how do you think they should go about you know disclosing that and so on
|
||||
and so forth um I definitely think it's worth getting a second opinion um or maybe a third or
|
||||
even a fourth and getting somebody to try and help you help you you know along with that um
|
||||
obviously as well go about checking it hasn't been talked about before and if it has
|
||||
how um you're speaking about it differently how you're making it how you're going to make a
|
||||
difference to what other people have said um but like you said before the biggest thing you need
|
||||
to do is documentation um screenshots and bias labs and obviously you know times and dates of
|
||||
everything that you're doing because um in the sake of web applications um I could test something
|
||||
tonight uh midnight which is you know something that could happen I could test it and it could be
|
||||
vulnerable I could then go write my report handy off to a client expect however much money
|
||||
um I'm selling this this web application test for and then later I'll say well actually we've
|
||||
just tried that and it you know nothing's happened so definitely document when everything's
|
||||
happening as well um otherwise you're going to get yourself into a hole which you aren't going to
|
||||
be able to easily come out of without having you know the documentation that we talked about before
|
||||
so documentation documentation documentation documentation
|
||||
uh to be honest yeah I'm kind of old-school when it comes to documentation I have to be honest
|
||||
to do I uh I have some great advice from a friend of mine that the the Apatailinic Society leaves
|
||||
you who is a morphel in Dondi for saying these very words that software is documentation and
|
||||
documentation is software and I I couldn't agree anymore and certainly when it comes to
|
||||
vulnerability it's the proof has to be has to be there um in wrapping up people can find your
|
||||
blog post your blog at www.teamack.co.uk is that correct no no sorry it's um there's a couple
|
||||
of ways to get to it there's www.teamack.uk.com uh Teamack.uk spelt TMAC.uk um you can get it to
|
||||
it.com.co.uk um you can also get to it. Thomas McKenzie.co.uk Thomas McKenzie.net and I think
|
||||
you can get it at Teamack.uk.net now oh no sorry can't not yet hello that's something that's coming up
|
||||
you know enterprise enterprise was it was it like like a seven for one deal going on at the
|
||||
domain register or something we'll be well wish so obviously like like you all know I'm at
|
||||
university and I'm registering all these domain names when I've got the money and then I'm spending
|
||||
the money thinking they've already gone out and then I'm up from down the line I'm going over
|
||||
drawing in an overdraft I don't even have because because I've bought all these domain names two
|
||||
months before and I believe you can be found on Twitter uh I'll personally put you Twitter handle
|
||||
yeah it's uh Teamack.uk spelt the same as way before TMAC.uk and to anybody who's listening
|
||||
who wants to be involved in the industry or is you know a prospective student for any university
|
||||
theoretical hacking or even forensics it's definitely somewhere that you need to go on to
|
||||
add me and give us a shout and I'll send you a DM or an email with everybody that you should
|
||||
follow because without without Twitter um I wouldn't I wouldn't have probably got gone to the
|
||||
on the course and probably wouldn't be in the position that I'm in now just because of all the
|
||||
networking that I've got yeah okay we all know that security guys are Twitter junkers
|
||||
free software guys are all identical by the way just a lot of free-tard listeners out there
|
||||
so in wrapping up if you want to get involved in HPR the best way that you can help HPR
|
||||
is maybe look at producing shows yourself you know if you have a friend who's found a vulnerability
|
||||
and why don't you get a microphone and record it and release it to HPR or maybe you'll use a
|
||||
group's having a talk and speaker doesn't mind you recording it if it is something that you're
|
||||
interested in doing then why don't you contact Klaatu or enigma at hackpubbleradio.org all that's
|
||||
left for me to do is firstly thank our guests tonight Thomas McKenzie and do make sure to
|
||||
catch isn't if you were the black cat and go and visit his website and you can also catch him
|
||||
on tracksack.com Tom from me thank you very much for for joining us at hackpubbleradio is there
|
||||
anything you want to say to the hackpubbleradio a lot before you go yeah definitely there is one
|
||||
thing I'm currently trying to start my own open source content management system it's very very
|
||||
in the beginning stages this evening I've actually just written the login page
|
||||
currently struggling with getting this md5 encryption working I'm not amazing at my php code
|
||||
and just starting out so if there's anybody involved with any php code and I don't even know
|
||||
any more than I do and do get in touch with me at my email which is teemac at teemacuk.co.uk
|
||||
I'll get in touch with me on my website more on twitter just because I definitely definitely
|
||||
appreciate some help with that and it will be on source for soon I hope
|
||||
awesome what's a figure the name just make sure no one else is chosen it before you hear
|
||||
you know what the name is right differently or something
|
||||
all that left for me to do as well is thank you guys at home for listening to hackpubbleradio
|
||||
and we'll catch you again on the next episode thank you very much goodbye
|
||||
thank you for listening to hackpubbleradio
|
||||
hpr is sponsored by caro.net so head on over to caro.nq for all of us in
|
||||
Reference in New Issue
Block a user