Over the past few years, I’ve developed quite a fondness for WordPress, the platform on which this site is built (You can view the source of this site over on GitHub). You may have come across one of my WordPress plugins, WP Password Generator or WP Client Reference, both of which are available through the WordPress plugin repository.
Latest Blog Posts
My wife, Kim, and I just got back from a week abroad in Iceland — our first trip out of the country together since our Jamaican honeymoon and the first trip away from our toddler for more than a long weekend.
First of all, photos cannot capture the beauty that is Iceland. The mountains, the waterfalls, and the views are things you have to see in person. From the enormous glaciers to the east to the vibrant capital of Reykjavík in the west, Iceland is every bit what the guidebooks and travel blogs make it out to be.
For our trip, we wanted to be able to take in as much of Iceland as possible without losing the freedom to move at our own pace. As a result, we opted to rent a car at the airport, drive along the southern end of the country (staying just outside of the town of Vik), see the southeast end of the glacier field, then end the trip in Reykjavík.
Now that we’re back, I wanted to share a few things that I wish I had known before heading to Iceland.
A few days ago, a YouTube video was passed around a few Slack teams I’m a member of showing a proof of concept of an unauthenticated remote code execution vulnerability in WordPress core (in other words, a way for people to execute arbitrary code on your server, which is obviously bad). The video, posted by Dawid Golunski of Legal Hackers, purported that the vulnerability was exploited against a clean installation of WordPress with no plugins and only the default configuration.
This morning, Dawid’s new site, ExploitBox, posted details about the vulnerability. In short, by spoofing a request’s “Host” header, it’s possible to trick WordPress into sending a password reset email with a return path pointing to a domain you control.
The author goes on to hypothesize that if an attacker were to first overload the target’s inbox with large messages (effectively filling it to the point that it couldn’t hold more messages), this would cause the mail host to “bounce” (reject) the message, returning it to the sender (the attacker). Assuming the returned email contained the body of the original message, the attacker now has the link that will allow them to change the user’s password.
Though it was only a few short months ago that I left my Lead Web Engineer position at 10up to join Growella as their Director of Technology, today is my last day in that position. It’s not a decision I’ve arrived at lightly, but it’s a move that I feel is necessary for my career satisfaction.
I’m extraordinarily proud of what I’ve accomplished in my few months at Growella; our small team was able to take the site from concept to release in less than two months, rolling out the “Prime” release on January 17. I pitched, built, and have been writing weekly on the Engineering @ Growella blog, a place to discuss how we approach engineering challenges at Growella. Growella’s GitHub organization has a number of open-source contributions to its name, including several WordPress plugins, a WP-CLI package, and several contributions to other open-source projects.
Get your geeky fill on my blog!
Follow me: @stevegrunwell
- RT @dacoursey: I read this to my kids every night so they don't repeat the mistakes of their father. https://t.co/FsjNJv18im
- RT @FPWellman: That's weird. I was born in 1965 and did 4 combat tours starting at 26 in Desert Storm. https://t.co/7xQMAxMEb8