Severe SQL Injection Flaw Discovered In WordPress Plugin With Over 1 Million Installs (bleepingcomputer.com) 61
According to BleepingComputer, "A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database." The plugin's name is NextGEN Gallery, which has its own set of plugins due to how successful it is. From the report: According to web security firm Sucuri, who discovered the NextGEN Gallery security issues, the first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site. This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site's URL as the user navigates through photos. Sucuri says that an attack can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL. This happens due to improper input sanitization in the URL parameters, a common problem with many WordPress and non-WordPress web applications. The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes. Sucuri says the plugin's authors fixed this flaw in NextGEN Gallery 2.1.79.
Not Wordpress!! (Score:1)
It's known for being so secure!! How could this happen??!?!?
Re: (Score:2)
Yah, toldja to use SharePoint. *head duck*
Well there's your problem (Score:2)
NextGEN Gallery is maintained by Imagely. We're the WordPress photography experts.
Hey Imagely, maybe you should hire a programming expert to write your code while you take pictures.
Re:Sanitizing Untrusted Input (Score:4, Insightful)
I'm also glad I don't use PHP
The is crap written in EVERY language, and variations of C are certainly not immune to this. I can write code that accepts unsanitized input in any language you choose.
Re: (Score:2)
Re: (Score:2)
The is crap written in EVERY language
Including English, it seems!
Re: Sanitizing Untrusted Input (Score:2)
Re: (Score:2)
Actually, to some degree, PHP is the issue. PHP has supported ways of performing MySQL queries that use placeholders for many years, but they also resisted breaking existing code by ripping out the old interfaces for way longer than made sense. Note that in PHP 7, they finally removed them, so we should start to see PHP app security improve dramatically as panicked admins realize that they have to replace all this crappy code.
Re: (Score:2)
Re: (Score:2)
Yes, but when you have an API that is known to be fundamentally insecure, keeping it around for more than a decade solely to preserve code compatibility is generally a really bad idea that can only encourage the proliferation of dangerous code copied from other dangerous code. The assumption was that PHP 5 would be replaced by a new major version that broke backwards compatibility after just a couple of years, but instead it took eleven.
Re: (Score:2)
Re: (Score:2, Insightful)
Because WP is the product of a lousy team with the lowest possible standard of practices, their tradition since 2004. Those attitudes permeate throughout the WP "development" landscape. If the core presented best practices and enforced using them, so many vulnerabilities would have been mitigated. Not only is WP shitty code, it begets shitty code.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
The fact that application documentation is trying to teach security practices that any programmer of the language should already know is a great indication of the quality of programmers involved in the Wordpress ecosystem. If someone who is trying to create Wordpress plugins needs to rely on the Wordpress documentation for basic security practices, then it seems like the barrier to entry is too low. This is why Wordpress has the reputation that it does. On one hand it's great that anyone can make a plugi
Re: (Score:2)
> It's not that hard when I do it.
(...ehm, let's make sure we get the context right on that one.)
Of course, with you HeartBleed wouldn't have happened either I bet. Still really old code, open source and used almost everywhere, but it took years to catch it.
Never say never, it's so easy to judge with hindsight.
No way! (Score:1)
It's so secure written in the professional engineered PHP and is known to auto update for folks without I.T. departments and does sanity checks for SQL statements. How could this possibly happen?!
Re: (Score:2)
It's so secure written in the professional engineered PHP...
If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...
Re: (Score:2)
It's so secure written in the professional engineered PHP...
If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...
Absolutely. I use Erlang Outlaw Techno Psychobitch like all the cool kids [youtu.be]
Friends (Score:1)
Re: Friends (Score:2)
Re: Friends (Score:2)
Little Bobby Tables (Score:2, Funny)
Jesus wept (Score:5, Insightful)
"...This happens due to improper input sanitization in the URL parameters"
Not this shit again. Look kids, use parameterized queries (prepared statements) or a decent sanitizer library (there are several available that are actually very good).
To get hacked because of poor sanitizing of inputs is downright embarrassing in this day and age.
Re: (Score:1)
I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using. Maybe I'm doing it wrong, but I'm disappointed with them.
Everyone wants sites ASAP and cheap, but debugging them is not ASAP and cheap. Grumble grumble.
Re: (Score:3)
I find parameterized queries a pain to test and troubleshoot on some platforms....
You need more training before you write anything that uses a database. Parameterized queries in PHP are easier to use and read than inline SQL, and are trivially easy to see the actual SQL the RDBMS is using.
Maybe I'm doing it wrong, but I'm disappointed with them.
If your statement is a true reflection of your opinion of parameterized queries, then: yes, you are doing it wrong.
Re: (Score:2)
You're right....
You're doing it wrong. Prepared statements are absurdly easy in any remotely modern rdbms, often even cheaper and easier than constructing the entire sql string yourself.
Re: (Score:2)
You can usually get the raw SQL out of it somehow. It's no excuse. You also have access to the SQL server logs, including the queries run against it.
Re: (Score:1)
I do? Don't let the DBA's know.
Re: (Score:2)
And this is why Drupal has a layer to handle this stuff for you. Now, granted, they did screw it up the first time and actually create a hole in it, but at least they fixed it rapidly :)
Re: (Score:2)
Drupal does a decent job of sanitizing stuff. I use a sanitizer from a place called jetscripts that seems to work very well. I've thrown a ton of stuff at it and haven't been able to by spoof it yet.
Obligatory xkcd (Score:4, Funny)
Re: (Score:1)
But why are your alternatives, the COBOL and Lisp CMS so unpopular?
Surprised (Score:1)
Re: Who the fuck uses anything PHP in production? (Score:2)
I'm using PHP for many years, got a lot of hack attempts, but never got owned. So, give me your best shot [banshee-php.org].
Re: (Score:2)
Screw the script kiddies... (Score:2)
Re: (Score:2)
If pages can be static, why weren't they already?
The content was stored inside a MySQL database. I can export the database to a file and then run a script to convert the articles with metadata into Markdown files. Since I'm using Pelican as my static file generator, I can create scripts to convert Markdown files into Python data structures and create Jinja templates to manipulate the data structures. I also use JavaScript, JQuery and Bootstrap to create a responsive base template.
Maybe other environments don't give you the choice?
Other environments typically take six seconds to load the CMS first before s
Tremendous! (Score:1)
if ($wordpress = $secure){
$nukes_armed = true;
echo "Welcome mr president!",
}