Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet Databases Privacy Technology

Severe SQL Injection Flaw Discovered In WordPress Plugin With Over 1 Million Installs (bleepingcomputer.com) 61

According to BleepingComputer, "A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database." The plugin's name is NextGEN Gallery, which has its own set of plugins due to how successful it is. From the report: According to web security firm Sucuri, who discovered the NextGEN Gallery security issues, the first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site. This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site's URL as the user navigates through photos. Sucuri says that an attack can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL. This happens due to improper input sanitization in the URL parameters, a common problem with many WordPress and non-WordPress web applications. The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes. Sucuri says the plugin's authors fixed this flaw in NextGEN Gallery 2.1.79.
This discussion has been archived. No new comments can be posted.

Severe SQL Injection Flaw Discovered In WordPress Plugin With Over 1 Million Installs

Comments Filter:
  • by Anonymous Coward

    It's known for being so secure!! How could this happen??!?!?

  • It's so secure written in the professional engineered PHP and is known to auto update for folks without I.T. departments and does sanity checks for SQL statements. How could this possibly happen?!

    • It's so secure written in the professional engineered PHP...

      If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...

      • It's so secure written in the professional engineered PHP...

        If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...

        Absolutely. I use Erlang Outlaw Techno Psychobitch like all the cool kids [youtu.be]

  • Friends don't let friends use wordpress. Give your friends cocaine, it's better for them.
  • Did you really name your son Robert'); Drop Table Students;--?
  • Jesus wept (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Tuesday February 28, 2017 @08:19PM (#53950513) Journal

    "...This happens due to improper input sanitization in the URL parameters"

    Not this shit again. Look kids, use parameterized queries (prepared statements) or a decent sanitizer library (there are several available that are actually very good).

    To get hacked because of poor sanitizing of inputs is downright embarrassing in this day and age.

    • by Tablizer ( 95088 )

      I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using. Maybe I'm doing it wrong, but I'm disappointed with them.

      Everyone wants sites ASAP and cheap, but debugging them is not ASAP and cheap. Grumble grumble.

      • I find parameterized queries a pain to test and troubleshoot on some platforms....

        You need more training before you write anything that uses a database. Parameterized queries in PHP are easier to use and read than inline SQL, and are trivially easy to see the actual SQL the RDBMS is using.

        Maybe I'm doing it wrong, but I'm disappointed with them.

        If your statement is a true reflection of your opinion of parameterized queries, then: yes, you are doing it wrong.

      • by mark-t ( 151149 )

        I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using. Maybe I'm doing it wrong, but I'm disappointed with them.

        You're right....

        You're doing it wrong. Prepared statements are absurdly easy in any remotely modern rdbms, often even cheaper and easier than constructing the entire sql string yourself.

      • by dave420 ( 699308 )

        You can usually get the raw SQL out of it somehow. It's no excuse. You also have access to the SQL server logs, including the queries run against it.

    • And this is why Drupal has a layer to handle this stuff for you. Now, granted, they did screw it up the first time and actually create a hole in it, but at least they fixed it rapidly :)

      • Drupal does a decent job of sanitizing stuff. I use a sanitizer from a place called jetscripts that seems to work very well. I've thrown a ton of stuff at it and haven't been able to by spoof it yet.

  • by OhSoLaMeow ( 2536022 ) on Tuesday February 28, 2017 @08:32PM (#53950561)
    Sanitize [xkcd.com]
  • I bet there is somebody, somewhere, that is actually surprised about this. And they're probably using a Mac.
  • I've gotten tired of script kiddies banging down my virtual doors because of PHP and MySQL. These days I'm converting my websites to static websites by using Pelican (Python). There's no bragging rights in hacking HTML files.
  • if ($wordpress = $secure){
            $nukes_armed = true;
            echo "Welcome mr president!",
    }

MS-DOS must die!

Working...