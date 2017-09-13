Backdoor Found In WordPress Plugin With More Than 200,000 Installations (bleepingcomputer.com) 51
According to Bleeping Computer, a WordPress plug that goes by the name Display Widgets has been used to install a backdoor on WordPress sites across the internet for the past two and a half months. While the WordPress.org team removed the plugin from the official WordPress Plugins repository, the plugin managed to be installed on more than 200,000 sites at the time of its removal. The good news is that the backdoor code was only found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2), so it's unlikely everyone who installed the plugin is affected. WordPress.org staff members reportedly removed the plugin three times before for similar violations. Bleeping Computer has compiled a history of events in its report, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence. The report adds: The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites. Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase. A month after buying the plugin in May, its new owner released a first new version -- v2.6.0 -- on June 21.
I have pretty much given up at the idea of any somewhat ok CMS. They all are terrible, insecure, or take 6 months to figure out how they work for experienced programmers with clients who want things done yesterday. Drupal was such a nightmare that I never bothered to learn.
It seems easier to write your own code than to use such a system.
Wordpress is a joke. Easy to use but inpractical and a great example why you need an I.T. department to monitor and keep things upgraded.
Try Kirby CMS.
Roll your own and keep the source encrypted and under lock and key. If you don't have the resources for that. Then it's only a matter if time before your site is hacked if you're using and CMS
That's a recipe for disaster too. Security through obscurity won't keep you safe. You will not be able to think of all possible attack vectors. Other people will.
Agreed.
I built my own lightweight framework that I use for my clients projects.
I think it's a tradeoff. Do you need blogs, commenting, authentication, permission systems, easily updatable content by non-technical users, etc? For example, rolling your own authentication system is easy. Rolling your own that isn't vulnerable to DDOS and SQL-injection attacks is a really hard problem that people have already solved within most frameworks or CMS systems. In this case, a CMS might be worthwhile. However, ff you just need a couple of static pages that don't require regular changes, then skip it. But if the client can't be bothered to spend the money and time for regular maintenance and security patches, then they should just be directed to a WYSIWYG end-to-end system that offers the whole thing as a managed service.
I think it's a tradeoff. Do you need blogs, commenting, authentication, permission systems, easily updatable content by non-technical users, etc? For example, rolling your own authentication system is easy. Rolling your own that isn't vulnerable to DDOS and SQL-injection attacks is a really hard problem that people have already solved within most frameworks or CMS systems. In this case, a CMS might be worthwhile. However, ff you just need a couple of static pages that don't require regular changes, then skip it. But if the client can't be bothered to spend the money and time for regular maintenance and security patches, then they should just be directed to a WYSIWYG end-to-end system that offers the whole thing as a managed service.
There is Django and several frameworks that are easy to learn and fairly secure if you know what you are doing. How many sites need all these things CMS provides? If they do then a complex monster like SharePoint might be useful but these are small unless you work for a fortune 500 company.
The people who use Wordpress are small business owners and most customers who want something cheap to setup and forget. Wordpress is defective by design as it doesn't auto update and have all the plugins auto update and be 100% compatible with itself. The whole thing is defective by design as 75% of the people who use do not have an I.T. department unlike those who work with these monster CMS packages and even if they do have an I.T. guy or two they never will check Wordpress as the boss might be pissed if the update breaks something etc.
some people with word press don't get shell / ssh (Score:2)
some people with word press don't get shell / ssh to the server. So the small business who does not want to pay for that (added costs at some hosts)
And they need to make edits without waiting for some managed service to make even the very small changes.
HTML is also quite cheap and simple to setup, and simpler if it can be exported from a document editor (especially if that document editor can meaningfully handle multiple pages). If someone happens to have a decent website hosting service (one which updates software and keeps unrequested features disabled), that very simple solution is pretty unlikely to cause security problems.
If the website is mainly to promote a small business and provide contact information, with maybe an occasional blog post, chances
> HTML is also quite cheap and simple to setup
Never heard of it. Is it based on node.js?
Has it been 6 weeks since the last WordPress exploit was reported? That shit runs like clockwork.
WordPress is not a CMS, it's a blog script playing dress-up. It was lousy code when it was first vomited forth in 2004, and having not changed much since, is utterly horrendous code now.
I say things like that often, and from experience I know that the only defenses of WordPress that ever get offered are argumentum ad populum canards, "it's so easy" (you chose it for yourself, not based on client needs), and "I
It's not 1980 anymore and coding is commonplace, and with it, bad code. Still, writing bad code is job that pays the bills for a lot of people who couldn't do better. Wordpress is the fast food of web development... cheap and crappy, but available everywhere and easy to hire/fire for. For most of its uses (blogs and small biz sites), the cost of a Wordpress hack and the subsequent cost to fix it or even re-create the whole thing again from scratch is probably still several times cheaper than hiring a "prope
Outside of silicon valley not everyone knows code. That is the problem. People read a book or remember doing a hello world in HTML with Netscape back in the day and assume it is easy and uncomplicated and do not understand what is at stake and how the whole computing stack from the application layer down to the network and physical work and interact. Just because some sweet
.com sites work like magic means it was easy and simple to develop.
There is a market for those who buy template sites from hosts. They should stick with that if they do not know what they are doing or want to pay someone to develp and maintain.
The vast majority of people who deploy WordPress sites don't know a damn thing about development. They charge an unsuspecting rube $1200 or more to spend an afternoon configuring plugins and spending $50 on a theme. They don't know anything about code, server management, or anything actual developers would know.
[Avoiding] SQL-injection attacks is a really hard problem
NO! Avoiding SQL-injection vulnerabilities is a basic part of website coding and extremely easy to do [owasp.org], there is no excuse.
If you can't write a database-backed app that always uses prepared statements for every single insert, update and where clauses, in this day and age, you have no business releasing it, even internally. This is basic DB-related knowledge. It is trivial to prevent, with any effort at all.
I replied to parent, but there is a trick with MySQL--you can call the parameratized api call, but most MySQL drivers will convert this into raw SQL. In Wordpress, the internal api call to use a parameratized query will do this--on the wire and on the database, it is as if you never did this from a security point of view. I know as my company makes a product that can add a security layer to Wordpress between it and the database, and only for a few rare plugins did we have to support parameratized calls to
Parameteritized queries against MySQL are often converted into non-parameratized queries for performance reasons. This is the DEFAULT behavior of most MySQL drivers. Most programmers don't even know it is happening behind the scenes, and the protection they thought they have is lost.
Most programmers don't even know it is happening behind the scenes, and the protection they thought they have is lost
Some of the protection they thought they had is lost. Most the bugs at the driver layer are pretty well shaken out because they are so widely used and well tested. While its not impossible, Its still pretty unlikely.
I'm going to need a citation for that, because PHP's MySQL driver doesn't behave in that way and I can't imagine anyone else's MySQL driver being worse.
Not to mention a Google search reveals nothing and it would be a pretty common complaint if parameratized queries regularly broke when dealing with the ' character.
DIY CMS Blues [And here I thought SharePoint (Score:3, Interesting)
I've been down that road, but managers kept asking for additional features that were readily available in existing CMS's or their pluggins. I spent a lot of time re-inventing the wheel and was always behind.
I'd like to see more "generative" systems that generate static HTML from a CMS and uploaded automatically and periodically via a one-way FTP connection. (The internal draft may be dynamic.) It's harder to hack static HTML. I know generative
I do like your idea of a statically generated site. That is a good way to avoid security flaws in man
If you only put public-intended material on your Internet site, then there are no secrets there to steal. (Disable versioning also, relying on only off-server backups.) Vandalism would be the worse case, assuming you don't leave some loose FTP or network path back to your internal systems.
'd like to see more "generative" systems that generate static HTML from a CMS and uploaded automatically and periodically via a one-way FTP connection
This is what Jekyll does and it's supported by GitHub pages. It's very easy to set up so that a post-push git hook regenerates the site and sets the permissions so that the web server process can read it but can't write anything in that directory. The down side is that you don't get any dynamic content (comments and so on). I've never been quite motivated enough to write a comment system that stores everything in an append-only log and has write access to precisely that one file, so if it's compromised y
I've never been quite motivated enough to write a comment system that stores everything in an append-only log and has write access to precisely that one file, so if it's compromised you can always just roll back to the last pre-compromised state.
It probably makes more sense just to embed someone else's comment system at that point, even if you're hosting it, only separately from your main site.
Conflating nonfree & free software is the joke (Score:5, Interesting)
This situation doesn't back up your point at all. Technical considerations about features and what's easy to learn versus hard to learn are remarkably subjective. What's objectively clear is that Sharepoint (a proprietary CMS) doesn't allow users to inspect what it's doing, alter the code, or share improved versions. Any problems with Sharepoint have to be fixed by the proprietor (Microsoft), and a backdoor in Sharepoint may well not be viewed as something that needs to be "fixed" from the proprietor's point of view.
WordPress, by contrast, respects a user's freedom to run, inspect, share, and modify. Site owners can decide how much time and effort they want to put into keeping their WordPress install secure. If they find a problem, improvements can be vetted, shared, and completely understood. The limits of review and improvement are the site owner's to choose and site owners retain the freedom to fully control their site (so long as they host on free software systems). Even bad free software (for any definition of "bad") is better than nonfree software because users have software freedom. Writing one's own code would grant one the freedoms only Microsoft gets with Sharepoint.
It's not fair to WordPress to conflate a WordPress plugin with WordPress itself ("Wordpress is a joke") or being horribly vague about what is so bad about various free CMSes. WordPress can't take responsibility for what others put in their WordPress plugins. They can only delist the malware plugins and describe why users shouldn't run that plugin downloaded from another source.
Finally, your point fails to describe how this particular WordPress plugin is critical to useful WordPress sites. This matters to WordPress' main audience—nontechnical users—who might want to know why they should not want particular functionality the plugin ostensibly delivers, or how to get comparable functionality another way. Lots of users aren't technical and won't know why they shouldn't install a bunch of plugins, or how to vet the plugins they find provide genuinely necessary functionality (including not blindly accepting every upgrade but vetting the changes along the way). I don't like malware either, but it's not fair to conflate software freedom with non-freedom (as if nonfree software was inevitable or just as reasonable a choice, an alternative), or to blame one party (WordPress in this case) for another' choices, and objections are far more useful when they are specific.
It's not fair to WordPress to conflate a WordPress plugin with WordPress itself
The difference between Wordpress and other CMSes (like Drupal) is that their official repo [wordpress.org] has repeatedly served malware.
Drupal was such a nightmare that I never bothered to learn.
What version? I've been using it a long time, and it's come a long way, although it's always been pretty spectacularly easy to come up with a simple site. What's tough is migration between major versions, if you use many modules.
Next time hire competent staff. Difficult, but possible!
LOL not with code this shitty, at least.
what do you mean? thats just what happened.
however he/she who sold it should have been suspicious about selling it in the first place. why would you need to buy open source software? you wouldn't. what he was buying was the install base.
What's old is new (Score:2)
Same here with old WordPress plugins being bought and used to install backdoors in people's sites. One can assume that a tried-and-true plugin would be implicitly trusted which makes this case more unsettling.
I'm sure the WordPress team will be looking at ways to avoid a repeat, but I wonder: could WordPress site owners co
> Could WordPress site owners could do more to protect themselves?
Here are three suggestions.
1. Do not have plugins installed that you don't use. A large percentage of Wordpress hacks that I have investigated involve plugins that are no longer in use. The only software that is guaranteed to not make you vulnerable is software you have not installed.
1b. As a corollary, if most of the features of Wordpress are things you are not going to use, do not install WordPress. Smaller, simpler code we'll have fewer vulnerabilities.
2. Hacks, either built-in back doors or simple vulnerabilities, tend to use certain PHP functions such as which can execute external commands, such as exec() and popen(). These can be disabled in php.ini. Disabling these functions will prevent hackers from using them, and they tend to indicate poor quality code anyway. If disabling these function stops the script from running, it *may* have been a poor quality script to begin with.
3. Tools are available to scan PHP code looking for suspect portions. These tools can also look for functions such as exec() or popen which should be looked at to see if they may be either venerable or back doors.
Somebody may say that they use a exec or popen either to retrieve web Resources with wget or to run the imagemagick binaries. It's a better idea to use PHP's built in HTTP functions and to use the imagemagick API via the imagemagick extension. The imagemagick binaries are the UI, the USER interface,to imagemagick. Applications should use the application programming interface or API, not the UI.
LavaSoft did the same thing (Score:1)
Bait and switch behavior when a company builds a good reputation for trustworthy software then sell it to an untrustworthy company to exploit that trust are a real problem: LavaSoft Adaware did the same thing!
> Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase.
