Forgot your password?
typodupeerror
Security PHP

Millions At Risk From Critical Vulnerabilities From WordPress Plugins 145

Posted by Unknown Lamer
from the just-use-ur-web dept.
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
This discussion has been archived. No new comments can be posted.

Millions At Risk From Critical Vulnerabilities From WordPress Plugins

Comments Filter:
  • by dclozier (1002772) on Wednesday June 19, 2013 @01:49PM (#44051999)
    Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
    • by Anonymous Coward on Wednesday June 19, 2013 @01:54PM (#44052051)

      It's not bad coding, those are just misunderstood features. SQL Injection? - That's just a back door we left in for convenience.

    • by Anonymous Coward

      Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

      Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.

      • by Anonymous Coward on Wednesday June 19, 2013 @02:03PM (#44052141)

        I personally only use HTML9 Responsive Boilerstrap JS. If you're using any other framework then you're just wasting your time.

        Here's a link for you poor slobs that haven't jumped on the bandwagon.

        http://html9responsiveboilerstrapjs.com/

      • by ackthpt (218170) on Wednesday June 19, 2013 @02:08PM (#44052185) Homepage Journal

        Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

        Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.

        Assuming management or the analyst who specs the code gives the coder sufficient time to do it right.

        Something I continue to observe in outsourced code is an incredible sense of optimism regarding security. Not because the coder is a fool (well, he/she might be) but because security and good practices are not emphasised, time and cost of up front development are too often the deciding factors.

      • Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]

        ORA-00930: Unknown keyword FAVORITE following INSERT.

    • by Giant Electronic Bra (1229876) on Wednesday June 19, 2013 @02:11PM (#44052227)

      Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.

      HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...

      • by chuckinator (2409512) on Wednesday June 19, 2013 @03:20PM (#44053027)
        Auditing isn't cool and takes time that could be better spent posting pictures of food with a sepia filter on Instagram.
      • The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)?

        Because your client will want new plugins every week, gets tired of asking you everytime, and wants you to set up the permissions so that the GUI plugin installer works ("what do you mean not a good idea? the last site I had worked that way and I never had any problems with it"), then proceeds to install all the plugins he needs to make his blog on cats and other larger-than-life stuff buzzword compatible.

      • There's so many aspects to everything, you cannot assume everyone is an expert on all areas required. You focus a lot on the security but I can bet your plugins would probably be extremely hard to integrate and use, look like crap and be a usability nightmare.

        • No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.

          Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they'

          • So what we need is a new language targeted at the Web with security being the first design rule.

            The language has to do everything to protect itself and the server, the programmer only calls dark boxes to do what he wants, i.e. no direct access to databases and similar insecure things.

            Why is it the programmers who are supposed to never trust their input data? Shouldn't that be the job of the language itself? I bet the language designers, who would only need to do it once and make it built-in, would do a much

            • SQL Injection

              What we need is for MySQL/MariaDB, PostgreSQL, FireBird, etc., to come configured so that database updates can only take place in stored procedures in which statement building isn't present; and that they also come configured so that when you create a database, two users/roles are created: a role with stored procedure execute privileges only, and the owner, and the database owner can only access the database through the command-line interface.

              In other words, what we need is for web programmers

      • by dgatwood (11270)

        The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED.

        Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....

        That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.

        If you really want the web to be more secure, we should:

        • Eliminate the PHP/Perl/Python mysql extensions. Force everyone to rewrite their software
        • Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncov

          • by dgatwood (11270)

            IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.

            The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and th

            • by The Cat (19816) *

              aren't always keeping up with the latest programming languages

              This is the problem right here. The "latest programming language" is buggy crap.

              • by dgatwood (11270)

                Ah, but the latest programming language is buggy crap because the senior people aren't pushing to improve it and the junior people lack the skills. It's a Catch-22/chicken-and-egg sort of problem.

                • by ttucker (2884057)
                  The world needs the next programming language like I need to have 12 more anuses on my body.
                  • by dgatwood (11270)

                    <sarcasm>But you'd be a superhero. We could call you Rectum Man. "My plants were all dying for lack of fertilizer, and I didn't know what to do. But then Rectum Man came to help. Thank you, Rectum Man!" Everyone needs 12 more anuses. Everyone.</sarcasm>

                    What it comes down to is best summarized by this obligatory XKCD [xkcd.com]. Just s/standards/programming languages/g. Alternatively, s/standards/web frameworks/g. And so on. This is why we have Perl, PHP, Python, Ruby, and whatever else has come

                    • Yeah, I was sorely disappointed when we went from a concentration on Perl/CPAN as the main resource for building web apps to 32 different interchangeable scripting languages which require the same libraries to be written over and over again and each has its own bugs. I mean, sure, perhaps its arguable that Ruby is a better language than Perl, for example, but its not that big a difference and clearly far too little focus has remained on actually writing and maintaining secure webapp code.

                      But, nobody is in c

                    • by The Cat (19816) *

                      The software market needs a return to basics.

                      There's a reason we still use grep. Because it was engineered properly.

                    • Yeah, agreed. I'm an old FORTH programmer, talk about basics. We got more done with that tool at a faster rate BY FAR than any other tool chain in the past 30 years.

      • by ttucker (2884057)
        So the code passes every audit in the book with a hacked together solution to each detected problem, do you really fee any safer? Auditing tools are fine, but certainly provide some false sense of security.
    • Not an unsafe language...

      Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

      "Bad coding" is similar to "no true Scotsman"; the goalposts are movable in hindsight. What really matters is how easily we can spot potentially-insecure code when we're browsing a codebase *before* it is exploited.

      Let's say our codebase contains, somewhere deep inside, a C function which tramples over unallocated memory. How likely are we to spot this bug as a maintainer, who may occasionally open the file for unrelated purposes? Not very, since unsafe C code looks pretty-much the same as safe C code.

      Likew

  • by Qzukk (229616) on Wednesday June 19, 2013 @01:49PM (#44052003) Journal

    It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.

    • by cold fjord (826450) on Wednesday June 19, 2013 @02:03PM (#44052143)

      More like every language can be used unsafely, and some have built-in weakness in addition. The C language and many of its derivatives have a number of issues that are well known and documented. In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.

      • by ewanm89 (1052822)

        Strictly speaking, it can't be impossible in any Turing complete language if you can do it in another Turing complete language. But the main point stands, the language doesn't matter, one can do bad things in any language.

      • by hairyfeet (841228)

        That is why I never understood the hatred for this or that language, i have seen some solid as hell programs in just about any language and I have seen absolute dogshit, again in just about every language.

        You can hand a scalpel to a skilled surgeon and he can save your life, you hand that same tool to an enraged chimp you are gonna get nothing but a mess. At the end of the day a tool will only be as good as its user, and a bad coder will make bad code i don't care what language they choose. While some her

    • by tepples (727027)

      it WAS an image file you uploaded, right? It ended in .gif, right?

      I want to become something other than one of these "absolute retards" you mentioned. If GD returns sane values for the image's width, height, and MIME type [php.net], what dangers should I still be aware of?

      • by MtHuurne (602934) on Wednesday June 19, 2013 @02:40PM (#44052535) Homepage

        That's the wrong question: instead of performing a dangerous operation only if the input doesn't look suspicious, you should not perform the dangerous operation at all. So if the input data is supposed to be an image, pass it to a function that can only process images. That way, if an attacker does manage to sneak in PHP code disguised as an image, it will just trigger an error condition instead of being executed.

        • by Chirs (87576)

          Otherwise, it might be possible to create something that is simultaneously a valid image file *and* valid PHP (or SQL, or whatever) code and bypass any checks that you add to validate the file.

        • by tepples (727027)

          So if the input data is supposed to be an image, pass it to a function that can only process images.

          I was under the impression that getimagesize() (the linked function) is "a function that can only process images."

      • by Anonymous Coward on Wednesday June 19, 2013 @02:41PM (#44052541)

        They could exploit GD.

        The only solution is to have the user base64 encode the binary GIF data, print it and then snail mail it to you.

        You can then build a dedicated PC that's not on the network, type out the base64 data, decode it and confirm it's a valid GIF. Then connect that PC to the network and upload the GIF on behalf of the user.

        If the GIF was malicious you simply set that dedicated PC on fire, inform the user (via snail mail) "INVALID GIF IMAGE, PLEASE TRY AGAIN" and then buy another dedicated PC for the next GIF you receive.

        It's the only way to be safe. I do this with my site and so far so good: I launched one year ago and I've received 1 GIF so far 3 months ago and I'm about 75% done typing all the base64 data. I hope to confirm his avatar picture by July 1st!

      • by SirGarlon (845873)

        I can't answer your specific question (I am mostly ignorant of PHP), but perhaps I can be of help with the broader issue of helping people learn about secure coding practices.

        One of the basic principles of secure coding is to validate user input to ensure it is what you expect. If you are checking the image size and MIME type you are headed in the right direction. Whether you've gone sufficiently far, I'll leave to PHP experts.

        To get started learning more, you can do worse than the OWASP Top 10 [googlecode.com] (PDF) -- ski

      • by Qzukk (229616)

        For gods sake, don't include() it to send it to the browser, because it could be a valid image with in an EXIF tag.

    • by dkleinsc (563838) on Wednesday June 19, 2013 @02:50PM (#44052645) Homepage

      Every language is unsafe, but some almost try to be as unsafe as possible.

      For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.

      • by Dragonslicer (991472) on Wednesday June 19, 2013 @04:50PM (#44053959)

        For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.

        Depends on your definition of "fairly recently." PDO was available as an extension for PHP 5.0 (2004) and was included in the standard installation for PHP 5.1 (2005). There hasn't been any excuse not to be using it for at least 5 years.

    • by cjjjer (530715)
      I hate to say it but it sounds like PHP is the new classic ASP with regards to exploits...

      Not that I am saying classic ASP devs got any smarter they just moved from ASP to other forms of server scripting/languages.
      • So, you're saying that idiots that couldn't code ASP can't code PHP. Color me suprised then.

        ASP (or better ADO) has provided prepared statements [microsoft.com] for a long time. Not using them is not ASP's fault.

        Create a stored procedure and swap

        cmdPrep1.CommandText = "UPDATE titles SET type=? WHERE title_id =?"
        cmdPrep1.CommandType = adCmdText

        in that snippet for

        cmdPrep1.CommandText = "name of stored procedure here"
        cmdPrep1.CommandType = adStoredProc

        and you're even better.

  • by schneidafunk (795759) on Wednesday June 19, 2013 @01:55PM (#44052065)
    According to the PDF [checkmarx.com], e-commerce plugins are in the list. I'm a bit surprised to see that, as I assumed developers would be thinking about security first with e-commerce.
    • by Vanderhoth (1582661) on Wednesday June 19, 2013 @02:01PM (#44052123)
      I agree it should be the first consideration, but the people who want the implementation are MBAs that care more about getting people's money, return on investments and how something looks rather than how secure it is.

      <sarcasm>Why pay money up front for security you might never need? It's better to wait until something does happen, like millions of credit card nubmers are stolen, and give the money to the PR people to clean up the mess. It's way cheaper if the gamble pays off.</sarcasm>
    • by Bogtha (906264)

      I assumed developers would be thinking about security first with e-commerce.

      These are developers who, when faced with the problem of how to build an e-commerce site, think "I know, I'll use my favourite blogging software". Assuming they can tie their shoelaces is a stretch, let alone thinking about security.

      Right about now, somebody is champing at the bit to reply saying that Wordpress has outgrown its blogging roots and is now a proper CMS. I invite anybody tempted to believe that nonsense to look

  • by dkegel (904729) on Wednesday June 19, 2013 @01:57PM (#44052089) Homepage
    The solution is easy: hosting providers should be required to continuously run vulnerability scanners, and instantly take down any sites which have known vulnerabilities. As a bonus, it would clear out a lot of crap sites.
    • I don't know about "should be required", who's going to require them, Congress? DOJ?

      However the smarter ones do just what you described, out of their own self interest. My hosting company contacted me once about a vulnerable Mambo extension they found.

      • by dkegel (904729)

        Congress, say.

        And of course 'instantly' would be too gestapo for real life. We'd really want a grace period with escalating warnings, followed by fines, followed by pulling-the-plug.

        And it'd be much better if industry came up with this on its own first. What's the state of the art?

        Rackspace talks about security,
        http://www.rackspace.com/managed_hosting/services/security/ [rackspace.com]
        but doesn't seem to offer proactive vulnerability scanning, and if they did, they would charge for it instead of just doing it.

        Godaddy s

    • Re: (Score:2, Insightful)

      by amicusNYCL (1538833)

      The solution is easy: hosting providers should be required

      The solution is authoritarian.

  • by xenoc_1 (140817) on Wednesday June 19, 2013 @02:27PM (#44052393)

    Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)

    For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2. [wordpress.org]

    Yeah, I'm gonna listen to them about WordPress security.

    When you click through their blog to the actual PDF report [checkmarx.com], guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.

    But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
    Cool vendor in application security.

    • by St.Creed (853824)

      But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
      Cool vendor in application security.

      Visionary just means they paid Gartner. The Cool vendor means they took 'em to a brothel as well.

      Okay I'm joking. Still... the fact they were whoring out "pattern based stragegy" (you had to pay to use the term) not long ago leaves me wondering.

  • People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.

    The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.

    So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.

    If you want to blog online, use Facebook or

    • nobody sets up their own blog anymore, that is so early 21st century.

      Shit, is it mid-century already? Where the hell does the time go?

    • If you want to blog online, use Facebook or Twitter or any other established social platform

      Maybe I don't want the advertising that goes with a platform like that, or the space limitations, or the way they assert copyright on the stuff I create, or maybe the WP blog is just a front-end for a domain name that's primarily there for e-mail, or...? There's a lot of reasons to run something like WordPress, and social media as you suggest is not a fix-all substitution.

      Besides, it's not like Facebook and Twitter have never been hacked... they're big juicy targets with the number of users they have and th

    • The moment a company decides to use Wordpress as their underlying site "technology", its game over.

      Like CNN, NYTimes ... ?

      This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.

      Actually originally and for a long time, it was a blogging platform ... for people who write blogs. Not really for housewifes and the like.

      So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.

      "if" ? If your aunt had a dick she'd be your uncle.

    • People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.

      Hi there. I'm a web developer. Nice to meet you. There, now you know a web developer who likes (and extensively uses) WordPress

      The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.

      WordPress was originally designed as a blogging platform for

      • Of course, there are many security-related plugins for WordPress so I'd love to see a "SQL Injection Attack Detector" plugin that would scan other plugins and report to the admin/webmaster/whoever when it finds something. (Whoever wants to develop this, you can use my idea for just a lifetime license to your plugin.)

        Replying to my own comment, but after writing that, I did a quick search and found this plugin: BulletProof Security
        http://wordpress.org/plugins/bulletproof-security/
        It claims to protec

  • Never use a module if you can possibly avoid it, and keep everything you use patched up to date.

    That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.

    Pulling in a dozen wordpress plugins (or a dozen CPAN modules, or the Ruby or Python equivalents) so you can avoid learning how to unpack a trivial format is the road to software maintenance hell...

    • That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.

      Because one set of eyes always catches more bugs than thousands?

      Just use Foo:Bar qw(enBlob unBlob) to limit your surface.

  • Which Ones?!?! (Score:5, Insightful)

    by Rob Riggs (6418) on Wednesday June 19, 2013 @02:44PM (#44052581) Homepage Journal
    What an absolutely useless article and report. Scaremongering at its best, with no actionable content. Which plugins have vulnerabilities? Can they be mitigated through configuration changes or do they need to be disabled/uninstalled? What is the potential exposure? Those are the sort of things a computer professional needs. Where are the damned CVEs?
  • My wordpress blog might get comprimised. Let me jump right on that little emergency...
  • It seems like I read a version of this article about once a month. Seems like Wordpress is always not-too-far-away from some amazing catastrophe that will cause Western civilization to collapse.

    I have been looking around for a new blog platform in order to redo my personal website, which is an aging Joomla 1.x system (and actually works fine, thank you very much, I just wish the URLs weren't so awkward). As far as I can tell, the entire rest of the world abandoned everything other than Wordpress, but actu

    • by Geeky (90998)

      I had a look at Concrete [concrete5.org], but to be honest it's the ubiquity of Wordpress that appeals to me. I avoid plugins wherever possible, and the ones I do use are mainly on the admin and content creation side rather than presentation of content.

      The popularity of it means that I can quickly find answers and code snippets when I want to do something, and I feel I have the experience to sort good suggestions from bad.

  • Wordpress is the most popular web publishing platform and, IMHO one of the worst implemented pieces software. Last time I looked their coding practices were ancient (even by PHP standards). I know that popular stuff attracts crappy coders, but it's so crappy that it either will force you to write crap or frustrate you so much that you don't even care.

    The wordpress phenomenon never ceases to amaze me. I know it's nothing special, cause there's probably tons of crap in proprietary closed-source software th

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...